SANS Stormcast Friday, August 15th, 2025: Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9572.mp3

previous

Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday August 15th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. And talking about our bachelor's degree,
 we do have another guest diary by one of our undergraduate
 interns. This time Joseph Noa is writing about how AI tools
 help Joseph to better understand some of the events
 during the internship where our students are typically
 analyzing alerts that they see in their honeypots. This
 particular case looks at some issues like, for example,
 analyzing logs or analyzing little scripts that were found
 by the honeypot. So for example, better understanding
 what certain commands mean, do and how their impact may
 necessarily sort of affect the particular honeypot
 environment system. Here we have a very typical example in
 this blog post about command injection attack and details
 like the nohub command, for example, in Linux. What this
 does is, well, yes, you could probably figure it out with
 Google as well, but much easier to sort of get it
 explained in context by various AI engines. As usual,
 in particular, as a beginner, be careful, verify your
 results that you are not sort of ending up with a very
 plausible but wrong hallucination from the AI
 system. And onlab is reporting about an interesting new way
 how proxyware malware is being distributed. In this case,
 it's a YouTube video download site. What's happening here is
 that you have websites that allow you to essentially
 quickly download a YouTube video, the actual video file.
 One example here is YTMP4, basically YouTube MP4. You
 provide it with the YouTube link and in turn, you'll be
 able to download an MP4 file with the video, or at least
 that's sort of how the site is supposed to work. In this
 case, what you end up with instead when you're
 downloading this file is, well, a malware. You are
 ending up with a setup script that will then install the
 proxyware. If you're not familiar with proxyware, it's
 not a type of malware we're really talking a lot about,
 but it's certainly quite popular and common. And it is
 basically used to turn your PC into a proxy. And then the
 attacker will essentially rent out your PC to allow other
 attackers or just people who want to watch sports online or
 such to actually use your PC essentially like a VPN via the
 installed proxy. This often has then, of course,
 detrimental effects on your system. And of course, they
 can at any time also install additional malware on your
 system. For the affected user here, this is probably one of
 the sort of, you know, less critical piece of malware that
 you could possibly have on your system. But keep in mind
 that it's often used for illegal activity, which of
 course then may also get you in trouble as the traffic is
 being reversed back to your IP address.
 And Horizon3 is added again with a great write-up with
 details regarding vulnerability, actually two
 vulnerabilities in Xerox's free flow print management
 system. This particular set of vulnerabilities, external XML
 entity vulnerability as well as a path traversal
 vulnerability will get you full remote code execution on
 the vulnerable system. I particularly like the
 discussion here of the external XML entity
 vulnerability because I think they are actually quite a
 common but often overlooked and not really sort of often
 well understood as far as what their severity goes. So
 definitely a good write-up here if you're not sure what
 you're going to do. If you're not using Xerox's free flow
 core update
 now, the patch for this vulnerability was only
 released, I think it was last Friday, it was on August 8th.
 Well, and it's Friday and I have yet again another Sans
 .edu student to talk about their research project.
 Darren, could you introduce yourself, please? Yeah,
 absolutely. I'm Darren Carstensen. I'm one of the
 MSISE graduates and a fellow co-worker in the security
 realm. Are you done with the degree now? I'm sorry. I am. I
 just finished up last month. So people can trust you now,
 but your paper was Zero Trust. So what was the paper about?
 Can you just summarize that a little bit?
 Yeah, yeah. The paper was born out of a bit of frustration I
 had where I was being tasked with helping solve customer
 problems and one of those was around zero trust network
 access, which in the name implies zero trust. But I
 found in reality there was some big differences in what
 was actually being executed. So I decided to build a
 research paper around how you can actually measure the
 amount of zero trust in a zero trust network. Great. And now
 zero trust, of course, one of the problems is it's actually
 not as much anymore, but it used to be one of those hot
 topics. And now it probably is how to use AI in zero trust.
 But the and there were sort of a couple of definitions going
 around. In your opinion, what's one of the critical
 things from a technical point of view that you look for to
 see if certain trust is actually implemented?
 Yeah, it's it's basically going back to understanding
 that you need to go away from the trust but verify principle
 and move more towards the never trust always verify and
 be doing that across the entire IT spectrum. So not
 just focused on doing it networking or only an
 identity, but doing it across really the five different
 pillars, which would be identity devices networks
 applications. So how do you measure it? It's like we
 always look for something you can measure in our research
 papers.
 Yeah, so I mean, ultimately, the government, the
 cybersecurity infrastructure security agency or CISA came
 out with a decent way of measuring your maturity level
 within zero trust, and they call that the zero trust
 maturity model version 2.0 is the latest iteration of that.
 And it really helps break down not just are you doing zero
 trust, but at what maturity level are you at, you know,
 going from just one example is okay, say you're doing
 identity security practices, and you have multi factor.
 That's great. That's great. But do you have things like
 the fishing resistant multi factor authentication to help
 measure Oh, you're not just doing MFA, but you're doing it
 in a better stance than everyone else. That's actually
 that's a little bit of favorite topic of mine right
 now that it's a fishing resistant part. Can you just
 tell us quickly how common multi factor authentication is
 not fishing resistant?
 Sadly, it's still, I would say fairly common from my
 perspective, what I've seen in you know, with the real world
 and in production environments. Some cases it's
 legitimate reasons like we've got folks that don't have
 equipment that can support that that other times it's
 cultural, but oftentimes we still see you know, allowing
 things like SMS, allowing things like basic push
 notifications that don't have a lot of context or data or
 information presented to the end users. So I would I feel
 like in the number of conversations I have with
 customers, it's almost 50 50 folks that are beginning or
 are doing some fishing resistance, but also the other
 50% still. And what about fishing resistant multi factor
 authentication that look like?
 It gets rid of a lot of some of the older things that can
 be taken advantage of the easy and common examples around SMS
 messages that would give you those one time passwords. Um,
 where essentially it's giving you that password, but
 oftentimes people will fish, um, or fish users to try and
 get that token and get them to pass that on to the attacker
 so that they can leverage that as well. Um, so moving away
 from that and moving more towards things like biometrics
 or even push notifications that can include more context.
 Like it's this person's identity coming from this geo
 location at this time, this IP address. Yeah. Yeah. Yeah.
 Yeah. So phishing is like, you know, one of, uh, the attacks
 here that zero trust kind of tries to address. Uh, of
 course, we're not implementing security controls without any
 real threat that we're actually blocking here. Uh, as
 part of your research, uh, what kind of, what type of
 attacks did you consider?
 So I tried to cover a variety of different things. Um, I, I
 went through each one of the pillars and just picked a
 simple, uh, well, relatively simplistic example, and it
 ranged from identity, uh, on that side. I did some
 simplistic things like, can we just do role-based access
 control? Um, and then also can we do step-up authentication
 with multi-factor to say, oh, if a user is accessing a
 sensitive resource, can we based on that sensitivity do
 step-up authentication? Uh, I went into the device side and
 measured, okay, can we evaluate, uh, does the device
 have disk encryption? Is it have healthy endpoint
 protection and antivirus definitions? Um, I went into
 other areas and one of the more interesting ones or two
 interesting ones, was around the application layer where I
 did some SQL injection to see, is it application aware? Can
 we actually see what's going on there? Uh, and also passing
 malicious content to see, can it identify when someone's
 passing in one specific instance, like a mature
 printer payload or reverse shell payload? Uh, is that
 able to be detected and picked up upon? Are we looking truly
 at the, at the payloads? And then the data layer, which I
 thought was going to be straightforward, was looking
 for data loss prevention. Can we just pick up simple things
 like PCI or PII data, um, which is pretty common in most
 environments. And can we do some actual detections and
 preventions and blocking, uh, around that one? That last
 step with, uh, DLS prevention, how did that go? Did, that's
 it. It was a little bit surprising. Um, I, I picked
 five different vendors. Um, three of them are leaders in
 the zero trust network access space. And then I picked a
 more niche one and I picked a small, medium business one.
 Um, almost nobody was able to pick up on the data loss
 prevention. And the simplistic test that I had established
 was a remote user just trying to access and upload and
 download sensitive data from a Windows file server, you know,
 using, using SMB protocol. And, uh, only one player or
 one provider out of that space was able to actually do the
 PII and PCI. Um, but they didn't pick up on, on
 malicious content. And the one provider that I thought was
 going to be the most robust because they advertise having
 enterprise DLP. And, and I put that in air quotes. Um, they
 actually, their enterprise DLP only covers HTTP, HTTPS
 traffic. So they completely missed the sensitive data
 being transferred over a Windows file share, which,
 which kind of was, I guess, you know, once you get to zero
 trust, I guess they assume that you blocked port four,
 four, five. But, or
 maybe, maybe they just assume nobody does Windows file
 shares anymore. Probably. Yeah. These days you never
 know. Yeah. I have seen like, uh, DLP, of course, a lot of
 people joke a little bit about DLP. It's hard. It's a hard
 problem to do. Uh, like sometimes, even if you, if you
 do look at the HTTPS, then you look at web socket and, uh,
 some of those things that, uh, can still be used for, for
 exfiltration. Even if you are fairly tight, uh, but, uh,
 yeah. So, uh, did it at least show who did it kind of,
 because that's the other games of a serial trust is that,
 that authentication part, uh, like, uh, if it doesn't
 prevent the attack, does it at least show who, uh, originated
 the attack or.
 Yeah. Yeah.
 Yeah. So even if it didn't pick up that it was malicious
 or that it was an attack, you could at least go back. And if
 you had some other, like a SIM or some other analytical tool
 that would pick up on that, great. The data was there, but
 in some cases it wouldn't even identify that and it wouldn't
 trigger and you wouldn't have enough insight. Now you
 wouldn't have enough logging, um, context to be able to put
 that together. Well, there's more detail in the paper and
 the link to the paper will be in the show notes, but, um,
 any final words? Is it worth doing so trust or.
 I think it's absolutely something that some of us are
 doing naturally as, as security practitioners. I
 don't find enough folks are doing, uh, deeply enough.
 They, they were like, oh, I bought a product like zero
 trust network access. So that checks the box, right? It has
 zero trust in the name. So the, the one takeaway that I
 would, I would recommend or, or put out there is that, uh,
 again, kind of like zero trust implies don't trust, try and
 verify. And if you're looking at solutions that are going to
 increase your security and reduce your risk, test it out,
 um, evaluate it against your environment or your own
 criteria and, and confirm that it is going to meet your
 expectations. Because oftentimes the, the market
 texture, as we call it is, is ahead of what, where they're
 at from an execution. Yeah. Great final words there. So
 again, the link to the paper will be in the show notes. If
 anybody has any questions, there's also contact
 information for Darren in the paper. So thanks for listening
 and talk to you again on Monday. Bye. Bye.