SANS Stormcast Tuesday, December 9th, 2025: nanoKVM Vulnerabilities; Ghostframe Phishing; WatchGuard Advisory

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9730.mp3

previous

nanoKVM Vulnerabilities; Ghostframe Phishing; WatchGuard Advisory

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Tuesday, December 9th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in Purple
 Team Operations. I would imagine that many of you
 listening have seen a device being advertised the Nano KVM.
 KVM stands for Keyboard Video and Mouse Switcher, which is a
 little IP accessible device that gives you remote access
 to the keyboard, video, and mouse of a particular device
 that you connect it to. Now, this device does not scream
 secure. It screams cheap and it's advertised as the
 cheapest possible device to accomplish this IP access to
 your keyboard and video screen. So a little cheap way
 to get basically remote access to a system, even if like no
 power fails and the like, which is definitely something
 nice to have. And I have actually one here at home and
 I've been playing with it and definitely it works. But of
 course, the security aspect here comes in, in particular,
 since the device has had a number of clearing security
 faults, like bad hashing and encryption of passwords,
 things like an SSH server is enabled by default with
 default password. And researchers had had a hard
 time to convince the maker to fix some of these
 vulnerabilities. The latest issue is that the entire
 firmware update process is insecure. In particular, the
 update of a binary blob that's sort of the proprietary part
 of these devices. So that, of course, now opens up the
 possibility of evil updates being slipped in here. The
 other thing that came out this week was that the motherboard
 of the device includes a microphone with no obvious
 reason for the microphone to be here. Now, of course, there
 were a lot of suggestions about spying and such. There
 may actually be a benign explanation for the
 microphone. This company also makes a little system on a
 chip, sort of a single board computer that's based on the
 exactly same motherboard as this KVM. The KVM was really
 just sort of an application of this single board computer.
 And yes, that single board computer does have a
 microphone. The microphone is advertised in the product
 description. So it's not something that's hidden, even
 though, of course, it's a little bit hard to find based
 on it being a really, really small sort of surface mounted
 microphone on the board. You can always, well, remove the
 microphone, even though it's a little bit tricky because of
 the small size of it. There's also now an effort underway to
 create sort of a more third party open source version of
 the firmware that's based on standard Linux distribution.
 So if you don't trust the manufacturer, you could always
 switch to one of those solutions. Haven't really
 tested them yet to see how reliable they are and how well
 they function compared to the official firmware. But then
 again, remember, never ever expose these devices to the
 Internet. And Barracuda is reporting about a new phishing
 kit that they're calling Ghost Frame that uses iframes in
 order to evade detection. The way this particular phishing
 kit works is that the phishing mail and web page itself is
 just simple benign HTML that's not triggering any kind of
 phishing detection rules. And then inside that HTML page, an
 iframe loads the actual login part of the phishing page. So
 that way it's not being detected as easily by any
 defensive mechanisms. The other little trick here is
 that this iframe loads this page from a random or not
 really random, but the unique subdomain. So the attacker
 uses a particular subdomain and then just has a prefix, a
 long random looking string, which basically encodes the
 recipient. And that way they can load the right login page
 for the right victim in a scalable automated manner.
 That's a little bit like some of these phishing sites where
 you sort of get automatically your company logo also being
 displayed based on some URL parameters. In this case,
 they're not using URL parameters. They're just using
 the first label of the host name. And WatchGuard did
 release an update for its Firebox appliance. This update
 fixes 10 different vulnerabilities. Five of them
 are rated high. None of them is rated critical. There was
 one vulnerability that sort of scared me a little bit
 initially when I read the title. And that was like
 memory corruption in the Ike demon. That's actually a
 component that has been a vulnerable in various IPsec
 instances in the past. In this particular case, an
 unauthenticated attacker may cause a denial of service. But
 again, only a denial of service and only in fairly
 specific configurations. So nothing I would be too worried
 about. There's an interesting expat vulnerability that I
 think could actually turn out to be more severe. It could
 lead to internal configuration leaks and does not require
 authentication in order to exploit it. So that may be one
 of those vulnerabilities where the right attacker that's a
 bit more creative in what they're looking for can
 actually cause some damage. So apply the update. Again,
 nothing critical here. But something probably you want to
 get patched by the end of next week. Well, and that's it for
 today. So thanks for listening. And one special
 request. If you are using the Apple Podcast app in order to
 listen to this podcast, I would appreciate a review. So
 please and thank you and talk to you again tomorrow. Bye.