SANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9590.mp3

previous

Launching Shellcode; NX Compromise; Volt Typhoon Report

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, August 28, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from
 Baltimore, Maryland. And this episode is brought to you by
 the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. Xavier today published a diary describing
 an interesting technique to launch shellcode. Now
 typically when an attacker is attempting to execute code
 after gaining some access to the system, the attacker will
 allocate some memory, mark it as executable, then copy their
 code into that memory and then launch that code. Now this
 typically launches the code in the context of the current
 threat. But of course there are other techniques to also
 inject it into another threat. Problem with this technique is
 it's well very common, very well known. And as a result
 it's also often flagged by various EDR tools. What Xavier
 came across is a slight deviation of this where the
 attacker in the end does execute the code by actually
 calling a Windows API call window proc. CallWindowProcA
 is meant to call various internal Windows functions.
 But the way the function works it actually well just accepts
 any memory pointer to then basically execute code at that
 location. So an attacker can use that to execute their code
 after copying it in the memory. So it's not limited
 just to execute various part of the Windows operating
 system's code. Interesting technique and apparently works
 quite well the way sort of Xavier observed it here. And
 yes, may be used to bypass some EDR tools. And yes, we
 sadly have yet another supply chain compromise incident.
 This time the problem is the NX build tool. This is a
 popular build tool that's being used by developers to
 basically optimize how software is tested and built
 after you make changes to the software. So here, Semcrep has
 a great blog post summarizing what happened here. So the NX
 tool was compromised. Any developer downloading the
 compromised version then had a telemetry.js file executed as
 part of the install procedure. This telemetry.js file
 actually used Gemini AI or Claude if installed in order
 to search the developer's system for secrets. They were
 particularly going after cryptocurrency related
 secrets, but also things like deploy keys and the like. So
 essentially anything that can help the attacker to either
 steal cryptocurrency or further compromise the
 software that the developer was working on. This data was
 then exfiltrated to GitHub. There was a new repository
 that was then being added as part of the victim's GitHub
 account. And the secrets were posted to this repository.
 It's overall an interesting event. First of all, having
 such a major tool being compromised. Apparently it's
 used by 2.5 million developers. Not sure if that's
 just number of downloads or actual users. And around a
 thousand or so developers appear to have been affected
 and had their credentials actively stolen based on some
 searches on GitHub. Both NX and GitHub have responded. So
 you won't find these repositories on GitHub
 anymore. Also there's an updated version of NX that
 removes the malicious code here. I haven't seen any
 details how NX was compromised. So whether that
 was just one of those usual leaked password kind of
 incidents or if there was anything more to it. But given
 that this particular attacker is very much into stealing
 credentials. It's very possible that in an earlier
 attack they were able to gain a hold of the NX developer's
 credentials. Not much you can actually do here from a
 victim's point of view. Yes, I could say, hey, review
 whatever code you're downloading. But NX is a well
 -respected, frequently used tool. So you shouldn't really
 have any suspicion here when you're using this tool. It's
 also a fairly complex tool. So it's not a tool where you
 easily just could review the code and make sure that it
 hasn't been really tampered with. And a number of law
 enforcement and cybersecurity agencies worldwide have
 collaborated on a real great and detailed write-up on the
 incident has often been referred to as Vault Typhoon,
 among other names. This is basically a compromise of
 various telco and other companies by Chinese state
 -sponsored actors. And this write-up goes over quite a bit
 of detail how, for example, initial access work. Well, no
 surprise here. The hackers best friend. They love it if
 you spend a lot of money on security devices like Palo
 Alto and Cisco. And then, of course, also, Ivanti is what
 they always love to gain access to your network. Also,
 a couple of things here stick out from sort of a defensive
 point of view. For example, network monitoring. One of my
 favorite things like the use of GRE and IPsec tunnels,
 which should in most networks, in particular GRE tunnels,
 raise an alert because they're not really that commonly used.
 And if, well, you should really know what GRE and IPsec
 tunnels are expected in your particular network. So a real
 good write-up, very technical, so hands-on kind of things you
 can look for, things that can inform your detection and
 threat hunting. Well, that is it for today. So thanks again
 for listening and talk to you again tomorrow. Bye.
 Bye.