Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, September 3rd, 2025: Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9596.mp3

Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
A Quick Look at Sextortion at Scale
Jan analyzed 1900 different sextortion messages using 205 different Bitcoin addresses to look at the success rate, lifetime, and other metrics defining these campaigns.
https://isc.sans.edu/diary/A%20quick%20look%20at%20sextortion%20at%20scale%3A%201%2C900%20messages%20and%20205%20Bitcoin%20addresses%20spanning%20four%20years/32252
Azure AD Client Secret Leak
Attackers are stealing Azure AD client secrets from websites that are leaving them exposed.
https://www.resecurity.com/blog/article/azure-ad-client-secret-leak-the-keys-to-cloud
Covert Channel via ICMP and DNS
A new bot combines ICMP and DNS in new ways for covert communication. The DNS requests use domains with a fixed prefix followed by a base64 encoded command, and the ICMP echo request packets include commands as a payload.
https://blog.xlab.qianxin.com/mystrodx_covert_dual-mode_backdoor_en/
Official Release of Critical FreePBX Patch
Sangoma has announced that the experimental patch released for the exploited FreePBX vulnerability is now considered stable, and users should update to apply it.
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, September 3rd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Industrial Control System Security. And in diaries today, we do have a new diary by Jan. Jan has written about sextortion scams in the past. As a result of one of those posts, well, reader, listener got Jan access to a relatively large corpus of different sextortion email scams. This particular set of messages had about 1,900 different emails with 205 different Bitcoin addresses being used. Now, what was sort of interesting is that over time, it looks like the effectiveness of these emails has been declining. And that's kind of making sense given that people are keeping getting the same message over and over. Eventually, they'll probably get sick of paying over and over as well. But still, they are somewhat successful. The payments usually arrive within a day of the messages initially being sent. So fairly short-lived campaigns as well. And overall, they usually ask for a couple hundred to a couple thousand euros or dollars. And then there are a couple outliers that ask for significantly more, but didn't receive any payments. That's probably another thing that scammers here try to optimize. They don't want to ask for so much money that victims just can't pay. And cloud security company, ReSecurity, did write a blog post with a little bit background about attacks that we often see in our honeypots. These attacks are looking for various configuration files. Now, ReSecurity here specifically looked for Azure AD client secrets. These are secrets that you're using to connect back to various Azure Active Directory features. And well, they're usually stored in a little JSON file. And that's app settings dot JSON. Now, this file has a fairly simple structure with basically your client ID and the client secret being included in this file. What they see, and that's also something that we have seen sometimes is sort of slight variations of this, like for example, adding development def and such to the file name to look for any older development versions or such of these credential files. And then of course, once they have the file, they can use it to essentially attack someone's Active Directory setup in this particular case. Interesting attack and like I said, nice background on attack that we often see in our honeypots, but don't always sort of have the connection to what an attacker actually does with these credentials after they gain access to them. And research by Qi'anxin X-Lab does show an interesting new Trojan that well uses yet again ICMP for a covert channel. ICMP is one of those issues and I just last week mentioned that when I was teaching SEC 503 that it keeps coming back ever so often. I guess it's time again, a couple years after we had it last time, that ICMP is being used here to essentially activate an outbound connection to a command control server. Also a little bit different and interesting here is the DNS command control channel. It uses a fixed prefix for the domain name and then the remainder of the domain name is a base64 encoded command for the bot listening for these incoming requests. The bot is actually just listening on a raw socket. So there is no listening port that you would necessarily see and the DNS requests are valid, but have this somewhat odd domain name that may actually be showing up in your logs. If you're looking carefully, it's not a valid registered domain name. So that's also something that may throw up an alert here and there. A couple episodes ago, I mentioned the critical vulnerability in FreePBX and at the time there was only a preliminary patch available. That patch appears now to be official and Sangoma, the company behind FreePBX, is encouraging everybody to patch. I looked quickly at the GitHub repository for FreePBX and it looks like the problem here was a fixed secret for OAuth authentication that has now been replaced with something that is sort of created dynamically. Well, and this is it for today. So thanks for listening and talk to you again tomorrow. Bye.