Podcast Detail

SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9444.mp3

previous
Podcast Logo
SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch
00:00

No Internet Access: SSH to the Rescue
If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN
https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932

SAMSUNG magicINFO 9 Server Flaw Still exploitable
The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild.
https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw

Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption
SentinelOne’s installer is vulnerable to an exploit allowing attackers to shut down the end point protection software
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone

Commvault Still Exploitable
A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systems
https://infosec.exchange/@wdormann/114458913006792356

Podcast Transcript

 Hello and welcome to the Friday, May 9th, 2025 edition
 of the SANS Internet StormCast. My name is Johannes
 Ullrich and today I'm recording from San Diego, California.
 Well, Xavier is on a roll and we got another diary from
 Xavier. This time a little SSH trick. The problem here was
 that Xavier was provided with a system that only was
 accessible via SSH. It had no outbound connectivity. That
 was all blocked by the firewall and Xavier still had
 to basically reach out to a couple of websites to download
 additional tools. This quick solution here was, well, it
 just used the existing SSH tunnel to connect back to an
 HTTP proxy and from there, of course, back to the world. All
 you need with SSH is one single connection and then you
 can use it to forward ports and basically tunnel
 additional traffic. There's actually sort of another thing
 that I've used in the past a couple of times where you just
 run a point-to-point connection over SSH. That
 gives you essentially a complete VPN via SSH. Not
 quite as reliable as other VPN solutions. That's why I
 haven't really lately been using it much. But in a pinch,
 if all you have is SSH, that's certainly quite useful. And
 I've run into situations, for example, while traveling,
 where hotel or conference center networks were quite
 restricted. And, well, then something like this is
 sometimes saved the day. Well, then last week I wrote about
 exploits of a Samsung Magic Info 9 vulnerability. And back
 then I stated that, well, this vulnerability was actually
 patched back last August. Huntres Lab today published a
 blog post stating that the patch back from August
 probably didn't work or that there is a second very similar
 vulnerability. Either way, even fully patched copies of
 Samsung Magic Info 9 are still exploitable against the proof
 of concept that was published and that the exploit attempts
 that we have seen are based on. So if you're using Samsung
 Magic Info, which is typically used to manage the content on
 Samsung advertisement signage displays, well, better make
 sure that your install of Magic Info is not accessible
 from the Internet. I'm not sure if it's possible to just
 shut it down while you're not making any changes. But either
 way, the current latest version of the software is
 currently being exploited by botnets like Mirai. When it
 comes to endpoint detection and response systems, there is
 an ongoing battle between attackers and defenders where
 attackers are attempting to corrupt or disable the
 endpoint detection and response system. Now, there is
 a new exploit that has now been seen in the wild being
 used against Sentinel-1 doing just that. This was observed
 by Aeon and they observed this as part of their incident
 response practice. The trick that the attacker exploited
 here was against Sentinel-1 that Sentinel-1's upgrade
 process apparently wasn't properly protected. So by
 disabling and corrupting the update process, it was
 actually then possible to disable the endpoint
 protection on a particular host. Sentinel-1 has published
 some guidance about how to protect yourself from this
 particular attack. So if you're using Sentinel-1, take
 a look at the Aeon blog and see how to apply these
 protections. Well, then we have another incomplete patch
 to report about. ComVault, I think about two weeks ago,
 they patched a vulnerability. watchTowr came up with a
 great write-up of the vulnerability, including proof
 -of-concept exploits. Well, Will Dorman is now reporting
 that he tried that proof-of -concept exploit against a
 fully patched version of ComVault and apparently it
 still works. So double-check your backup systems and make
 sure that you have them isolated. I haven't seen
 anything yet about a new updated patch for this
 particular software. Well, this is it for today. So
 thanks for listening and talk to you again on Monday. Bye.