Podcast Detail

SANS Stormcast Monday, September 8th, 2025: YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9602.mp3

previous
Podcast Logo
YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches;
00:00

From YARA Offsets to Virtual Addresses
Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers.
https://isc.sans.edu/diary/From%20YARA%20Offsets%20to%20Virtual%20Addresses/32262


Phishing via JavaScript in SVG Files
Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript in SVG files.
https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html

FreePBX Patches
FreePBX released details regarding two vulnerabilities patched last week. One of these vulnerabilities was already actively exploited.
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-3r47-p39v-vqqf

Podcast Transcript

 Hello and welcome to the Monday, September 8, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from New York
 City, New York. And this episode is brought to you by
 the SANS.edu graduate certificate program in Purple
 Team Operations. Xavier this weekend wrote a great diary to
 show you how to use YARA to, well, make it easier to
 analyze malware. In YARA, of course, you can write
 signatures to find interesting pieces of code in files. And
 with that, you also get an offset for that piece of code
 where it shows up in the file. The problem you have now is
 that as you, for example, run that code in a debugger, if
 you try to identify this piece of code, well, you need to
 know the offset in the particular section of the PE
 file, typically the text section. And that's what
 Xavier is explaining here, how to get all the numbers you
 need to actually get the right offset in the right section.
 And, well, to top it off, Xavier also wrote a little
 Python script to actually do most of the work for you.
 MyRestotal has a blog post where they're discussing some
 of the new phishing attacks that they have seen employing
 SVG images. SVG images are, well, vector-based images. So
 one of the advantages of SVG is that as you increase the
 size of the image, it doesn't become pixelated, but instead
 sort of retains all the features at the higher
 resolution. The other advantage of SVG is that it's
 an XML-based format. So it's easily embedded into a web
 page. You don't need to load a separate file, which of course
 makes things more efficient. What's not so well known about
 SVG images is that, well, they can contain JavaScript. You
 may ask, why does everything need JavaScript? Well, in this
 case, SVG images need JavaScript to create
 interactive images. So you can change the image as the user
 interacts with particular image, clicks on it, or mouse
 over events and the like can be captured and then
 translated into altering the image. So that's essentially
 what's happening here with this particular phishing
 campaign, that the attacker is embedding JavaScript into SVG
 images in order mostly to evade detection. Now in this
 blog post, VirusTotal shows a little bit of its AI tools and
 shows how they're able then to detect that, well, this
 particular image does contain malicious JavaScript. To the
 user, the result is, well, like any other phishing page,
 it displays a lookalike web page that the user is then
 tricked into interacting with and delivering their personal
 information, username, passwords, or additional
 details. SVG images in general should probably not be
 blocked. They're very legitimate. Even SVG images
 with JavaScript, sadly, are used, even though not quite as
 common. But this certainly requires a little bit more
 capable endpoint detection or malware detection solution in
 order to figure out these malicious SVG images. In the
 last week or so, we did talk a couple times about FreePBX,
 the open source PBX software that had an already exploited
 vulnerability and where we had to deal sort of with partial
 patches initially and then official patches last week. We
 now got the official advisory from PBX with a little bit
 more details about the particular vulnerabilities.
 The critical vulnerability here that was addressed sort
 of with this emergency patch was indeed OAuth-related
 vulnerability, in particular how the secret keys to
 digitally signed JWT tokens were created. And yes, they
 were not created randomly if you had particular
 distributions or if you installed the two systems at
 about the same time, you ended up with identical keys. And
 now you may say, hey, the attacker, well, doesn't
 necessarily know what time I installed my system. Well,
 they can guess it in some ways and then they can also brute
 force the timestamp. They didn't have to be that
 particular accurate as long as they know that the timestamp
 is being used to create these keys. So, that apparently was
 at least part of the issue here was fixed. There was also
 a stored cross-site scripting vulnerability that was also
 addressed that patch that also should be patched. It's
 definitely an important at least vulnerability if not
 critical. But the sort of highlight vulnerability here
 is this OAuth issue and that's definitely a must patch now
 problem since it's already being exploited. So, that's
 it. Well, that's it for today. So, thanks again for
 listening. Thanks for liking and subscribing to this
 podcast. And as always, talk to you again tomorrow. Bye.