Hello and welcome to the Thursday, March 20th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, today I took a look at some Cisco Smart Licensing Utility vulnerabilities. There are two vulnerabilities that were patched September last year. Now, shortly after the patch was released, there was also an exploit released and the exploit is pretty straightforward for this vulnerability. It was yet another of these static credential vulnerabilities. So really all you need to know in order to exploit the vulnerability is well what these static credentials were and that's what a blog post that was published a couple days after the patch came out well revealed. Haven't really seen much exploitation of this vulnerability so far. However, today I noticed that we got some significant scanning for this vulnerability for the particular URL being used. Then when I looked at the complete request, they indeed used an authorization header with these static credentials. This is part of what looks like some kind of botnet. They're scanning for a number of other vulnerabilities. Some of these vulnerabilities are basically just looking for credentials like things like .env files and such being leaked. But they're also looking interestingly for another little bit odd sort of video recorder vulnerability. One of these security camera recorders also has static credentials. In that case, the credentials are about as complex as the Cisco credentials. So something you wouldn't necessarily guess. It's not something like admin admin, but a little bit more complex. A couple special characters in the Cisco case. But of course, if they're static, well, it doesn't really matter how complex they are once they have been leaked. The official lesson here is of course patch. The less official version is if you're buying expensive enterprise software or cheap security cameras, they have the same type of warner bellies. So better get ready for it. And Ahnlabs did release a blog post showing an interesting trick that attackers are using by loading an old driver. Now we often have the bring a vulnerable driver technique. That's a little bit variation of this technique. The idea is that there are a number of drivers that have special powers in the operating system. They're as a result digitally signed, they're as a result digitally signed, so they can't be altered. However, if they have a vulnerability, well, then they can be used in order to elevate privileges. That's of your classic bring a vulnerable driver vulnerability, where an attacker is using a driver with a known vulnerability that has a valid signature in order to usually achieve system privileges. This is a little bit sort of a different variation of this attack. The driver in question here is called the truesight.sys driver. This driver came originally as part of an anti -rootkit actually, so anti -malware, but had the little bit iffy side effect where it could be used to terminate arbitrary processes, even if they were not associated with a rootkit. And that essentially then led to a limited privilege escalation, where an attacker was able to shut down security processes. And with that, they're able to load additional malware. Now, this particular vulnerable driver was originally put on Microsoft's driver block list. Microsoft maintains a list of known vulnerable drivers. And well, this was one of them now. So it was added to the block list. The problem here was then that aside from the block list of not really working the way it's designed to, but even if it would have worked the way it would be signed to, it wouldn't block this particular driver, at least an old version of this driver, because the block list only goes back for drivers to 2015. And there was a vulnerable version of this driver version 2.0.0 that was published before. So that one could still be used. Well, then the attacker also applied the seropadding trick to actually modify the driver as they're being loaded. So we're back to certificate bypass here, issues here that are also part of these sort of older vulnerabilities. The end effect is that the attacker is able to load the driver. The attacker is now gaining privileges to shut down arbitrary processes. And yes, attackers yet again used this particular driver to then kill security processes. Microsoft apparently has added now the old version to their block list as well. As I said, that's more missed than hit when it comes to hit and miss with this driver block list. Lots of reports that they actually don't really work very well. Hopefully some regular anti-malware and such will also add these old drivers to their signatures to hopefully block them from being used. And in security announcements, we got two updated announcements from Synology affecting a number of their camera products. Take a look if there are any new products being added here to the vulnerable products list that are affected by this. The vulnerabilities are critical. They are remote code execution vulnerabilities. They were mostly discovered as part of the Serity Initiative's Pwn2Own contest. So definitely something that you do want to address. There's, for example, some arbitrary remote read vulnerabilities, also execution of arbitrary code, and then also some machine in the middle attacks that are being addressed here. Well, and that's it for today. Thanks for listening. Thanks for recommending the podcast. If you meet anybody from SANS, let them know that you listen to and like the podcast. And any feedback, as always, welcome. Playing a little bit with different backgrounds and lighting and such or content. If I say anything wrong or missed something, please let me know. Thanks and talk to you again tomorrow. Bye.