Podcast Detail

SANS Stormcast Wednesday, September 3rd, 2025: Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9596.mp3

Podcast Logo
Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches
00:00

A Quick Look at Sextortion at Scale
Jan analyzed 1900 different sextortion messages using 205 different Bitcoin addresses to look at the success rate, lifetime, and other metrics defining these campaigns.
https://isc.sans.edu/diary/A%20quick%20look%20at%20sextortion%20at%20scale%3A%201%2C900%20messages%20and%20205%20Bitcoin%20addresses%20spanning%20four%20years/32252

Azure AD Client Secret Leak
Attackers are stealing Azure AD client secrets from websites that are leaving them exposed.
https://www.resecurity.com/blog/article/azure-ad-client-secret-leak-the-keys-to-cloud

Covert Channel via ICMP and DNS
A new bot combines ICMP and DNS in new ways for covert communication. The DNS requests use domains with a fixed prefix followed by a base64 encoded command, and the ICMP echo request packets include commands as a payload.
https://blog.xlab.qianxin.com/mystrodx_covert_dual-mode_backdoor_en/

Official Release of Critical FreePBX Patch
Sangoma has announced that the experimental patch released for the exploited FreePBX vulnerability is now considered stable, and users should update to apply it.
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

Podcast Transcript

 Hello and welcome to the Wednesday, September 3rd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. And in diaries
 today, we do have a new diary by Jan. Jan has written about
 sextortion scams in the past. As a result of one of those
 posts, well, reader, listener got Jan access to a relatively
 large corpus of different sextortion email scams. This
 particular set of messages had about 1,900 different emails
 with 205 different Bitcoin addresses being used. Now,
 what was sort of interesting is that over time, it looks
 like the effectiveness of these emails has been
 declining. And that's kind of making sense given that people
 are keeping getting the same message over and over.
 Eventually, they'll probably get sick of paying over and
 over as well. But still, they are somewhat successful. The
 payments usually arrive within a day of the messages
 initially being sent. So fairly short-lived campaigns
 as well. And overall, they usually ask for a couple
 hundred to a couple thousand euros or dollars. And then
 there are a couple outliers that ask for significantly
 more, but didn't receive any payments. That's probably
 another thing that scammers here try to optimize. They
 don't want to ask for so much money that victims just can't
 pay. And cloud security company, ReSecurity, did write
 a blog post with a little bit background about attacks that
 we often see in our honeypots. These attacks are looking for
 various configuration files. Now, ReSecurity here
 specifically looked for Azure AD client secrets. These are
 secrets that you're using to connect back to various Azure
 Active Directory features. And well, they're usually stored
 in a little JSON file. And that's app settings dot JSON.
 Now, this file has a fairly simple structure with
 basically your client ID and the client secret being
 included in this file. What they see, and that's also
 something that we have seen sometimes is sort of slight
 variations of this, like for example, adding development
 def and such to the file name to look for any older
 development versions or such of these credential files. And
 then of course, once they have the file, they can use it to
 essentially attack someone's Active Directory setup in this
 particular case. Interesting attack and like I said, nice
 background on attack that we often see in our honeypots,
 but don't always sort of have the connection to what an
 attacker actually does with these credentials after they
 gain access to them. And research by Qi'anxin X-Lab
 does show an interesting new Trojan that well uses yet
 again ICMP for a covert channel. ICMP is one of those
 issues and I just last week mentioned that when I was
 teaching SEC 503 that it keeps coming back ever so often. I
 guess it's time again, a couple years after we had it
 last time, that ICMP is being used here to essentially
 activate an outbound connection to a command
 control server. Also a little bit different and interesting
 here is the DNS command control channel. It uses a
 fixed prefix for the domain name and then the remainder of
 the domain name is a base64 encoded command for the bot
 listening for these incoming requests. The bot is actually
 just listening on a raw socket. So there is no
 listening port that you would necessarily see and the DNS
 requests are valid, but have this somewhat odd domain name
 that may actually be showing up in your logs. If you're
 looking carefully, it's not a valid registered domain name.
 So that's also something that may throw up an alert here and
 there. A couple episodes ago, I mentioned the critical
 vulnerability in FreePBX and at the time there was only a
 preliminary patch available. That patch appears now to be
 official and Sangoma, the company behind FreePBX, is
 encouraging everybody to patch. I looked quickly at the
 GitHub repository for FreePBX and it looks like the problem
 here was a fixed secret for OAuth authentication that has
 now been replaced with something that is sort of
 created dynamically. Well, and this is it for today. So
 thanks for listening and talk to you again tomorrow. Bye.