Hello and welcome to the Wednesday, May 7th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from San
Diego, California. Xavier today wrote about a Python
Info Stealer. Now, at first it looks like any other Info
Stealer. It does Info Stealer things like it checks if it's
running in a debugger. It has some anti-VM features. It, of
course, steals your information and then
exfiltrates it via Telegram as encrypted files. And that's
some of the usual add-ons like, for example, the ability
to take screen captures. What's a little bit different
about this particular Info Stealer is that it also
includes a web server. And the intent of this web server
appears to be to emulate different login pages, like,
for example, Google's. By doing so via the loopback
interface, they may be trying to evade some block lists and
such that are often being used to control access to phishing
websites. Overall, this particular Info Stealer
appears to be also a little bit incomplete. There are no
certificates for the web server that Xavier was able to
recover. And that's likely then part of the more complete
package that's going to be delivered to the victim. And
Google today had its monthly patch Tuesday for Android.
There was one particular vulnerability, a remote code
execution vulnerability in the free type library. That's
already being exploited. Now, what's sort of what's
interesting here is that this free type library is not
unique to Android. It's used in multiple open source
projects. It's a very commonly used library. So look out for
other updates for Linux distributions and the like to
fix this particular free type issue. And at least update to
the latest version of free types. Some of the more
recently released versions of free type apparently were not
vulnerable to this issue. Even though the patch itself for
the vulnerability was just being added to a free type.
This vulnerability is being exploited by loading a
malicious true type font into the library. This library has
had multiple vulnerabilities in the past. It is always a
little bit tricky to sort of parse these compressed font
file formats. So no really sort of big surprise that this
is being exploited because there have been prior exploits
for prior vulnerabilities that they could possibly have used
to model their new exploit after. And CISA, the
Cybersecurity and Infrastructure Security
Agency, published an interesting titled bulletin
called Unsophisticated Cyber Actors Targeting Operational
Technology. I kind of actually like this very much because we
often are focusing a little bit too much on the more
advanced threats that are sort of often more exciting, more
novel and sort of more intriguing overall. But yes,
that totally matches the data that we are seeing in our
honeypots. Well, 99.999% of attacks are basically
scriptkitties, bots, simple attacks for which we have
defenses for years. So the problem is these attacks are
still often successful. So CISA uses this particular
title to basically point to its basic guidance on how to
secure, in this case, operational technology. But I
think this goes beyond sort of ICS and operational technology
systems that sticking to the basics, making sure that you
have some basic, sane configurations, like not
exposing any unnecessary services, using strong
passwords and such is still an important item. Even though,
well, even on this podcast, we hardly ever talk about it. And
F5 released what they're calling a canary proof of
concept exploit for a recent Apache Parket vulnerability.
Apache Parket is a very efficient, compressed database
for tabular data used sort of to analyze bulk data. On April
1st, they released an advisory that indicated a critical
vulnerability, CVSS score of 10, that can be exploited by
basically just feeding a malicious file to Parket. And,
well, that file then essentially executes arbitrary
Java code in a de -serialization style
vulnerability. The reason they're calling this
particular exploit a canary proof of concept exploit is
that what you essentially do is you create a Parket file
using this tool. You feed this file to Parket and then, if
successful, this particular exploit will trigger Parket to
reach out to a URL that you specify as you create the
exploit file. So this is sort of that kind of canary token
-like behavior where whenever the particular exploit is
executed, it just reaches out to the URL. Well, you set up a
web server to register these connection attempts. And in
doing so, you may be able to identify vulnerable instances
of Parket in your environment. Interesting exploit. And, of
course, whenever an exploit like this becomes available,
you also have to think about that attackers now have an
easy-to-follow blueprint, how to develop their own exploit.
So definitely take a look at it if you are running Apache
Parket. And, well, this is it for today. So thanks for
listening. As I mentioned yesterday, I did an evening
talk today here in San Diego. I'm not sure if it will be
posted as an archive. I'll leave the links up to it on
the SANS website until tomorrow and see if it shows
up. Usually it takes them a day or so to process any audio
or video files for then sort of archived distribution.
Thanks for listening and talk to you again tomorrow. Bye.
