SANS Stormcast Tuesday, April 29th: SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC

April 28, 2025

SANS Stormcast Tuesday, April 29th: SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC

Episode Transcript

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics
Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data.
https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896
Novel Universal Bypass For All Major LLMS
Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models.
The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy.
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/
CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago
The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it.
https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf
SANS @RSA: https://www.sans.org/mlp/rsac/

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, April 29th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. And in diaries today we got a new Python tool for a change, not from Didier, but from the Python master himself, Mark Baggett. Mark wrote SRUM DUMP, SRUM the systems resource usage monitor. That's the part of Windows that logs how much resources different software used for the last 30 days. And it's of course really interesting in forensics and instant response because you can check, well, which software was running when and did it use the network? How much data did it send? All of this is in the system research usage monitor logs. And well, that's exactly what this tool exports for you, presents it in easy to use formats. So if you are in that line of business, definitely take a look. And Mark is always interested in feedback. There's also a little run through of the tool and how to use it in sort of a simple case, kind of to give you an idea for how you could apply this tool to any kind of investigation that you are performing. And then we got an interesting new technique to perform a prompt injection in large language models. This comes from Hidden Layer and what they say is unique about their particular technique, they call it a policy puppetry, is that it's fairly universal. The same technique, the same style prompt can be used across multiple LLMs. They sort of tested all the big ones as part of their research. There have been similar prompt injections for specific models. But as Hidden Layer points out, well, they can't easily sort of be transferred then to another model and, of course, have in part been patched in the past. What they essentially are doing is that they're not only using the role-playing trick. And that trick is old. That, of course, has been used by itself in the past. Where you, for example, ask the language model, hey, write me a movie script, how to build a bomb or something like this. That's not alone what they're doing. In addition, they're also prefacing this particular prompt with a snippet of XML. The reason they're using XML is that this is usually how the policy files are using that these large language models are using that are actually defining some of the constraints. So, by essentially confusing the model as to what is the prompt or what is the policy, well, they end up being able to overwrite some of the fixed policy or supposedly fixed policy, which then leads the large language model to actually act on the prompt that is following that particular policy insert. It's an interesting trick. They say it's difficult to patch. It's sort of back to the good old bad pattern where you're sort of mixing instructions and data and user data. So, mixing code and user data that usually never goes very well. So, I think they probably have to figure this out in a more fundamental way than sort of just by simple block listing certain strengths. Well, it looks like an older attack. Juice jacking is back again. Juice jacking referred to the ability of malicious USB chargers to essentially act as a keyboard and then send keystrokes to a device. This was an issue that was sort of thought to be mostly mitigated. Now, if you remember, maybe if you're at RSA this week, I'm not sure if the NSA still has its USB charger at its booth, sort of as a little nod to this particular technique. But it looks like it sort of made a little bit a comeback in the form of Joyce jacking. Researchers at the Graz University of Technology in Austria have developed a technique that Android, as well as in a limited form, iOS were vulnerable to. Now, iOS fixed this last month with the update to 18.4. And these research were also credited with notifying Apple of this particular weakness in Android. It was fixed as well. But then again, depends on whether or not you're running the latest version of Android, whether or not you are protected. The trick here is similar to sort of the old juice jacking in that the device changes its nature. Now, the little difference here is that they're also taking advantage of the power delivery protocol. The power delivery protocol is usually used between the charger and the device to figure out what voltages the device is willing to accept. But it can also be used to basically indicate that the device is a charger or a device that actually receives a charger or power from another device. And that's sort of part of this here where the device is first charging. But then basically telling the phone, hey, I'm now actually a device that wants to be charged. So it changes in this host mode. And that's sort of the first step here. On Android, they also developed a technique that involves just filling up the input queue with sort of requests. And then when you're making the switch at the right time, it will essentially then turn the device into the ability to actually send keystrokes to the vulnerable phone or tablet or whatever you have in this system. Now, there's lots of details here. There's also another technique here where it actually involves then using a Bluetooth input device. Bluetooth, of course, similar issue where the charger could also include a Bluetooth interface and then basically emulate a Bluetooth keyboard. A number of different techniques are being demonstrated here. Again, if you are running the latest versions of respective operating systems, you should be good. Personally, I'm always not that terribly worried about chargers in airports and such all of a sudden turning malicious. Apparently, it has happened in the past. My main concern usually is of the electrical safety of some of these chargers. But for the most part, if you want to stay safe, just use your own charger. And this shouldn't really be a problem. Well, that's it for today. I will actually not be at RSA this week. I'll be in San Diego teaching a class next week. If you happen to be at RSA, stop by at the SANS booth. They'll be able to tell you what SANS instructors are speaking at RSA. There will also be the famous Most Dangerous Attack panel again. And well, let them know how much you like the podcast. And that's it for today. And talk to you again tomorrow. Bye. Bye. Bye. Bye. Thank you.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich