Hello and welcome to the Thursday, March 20th, 2025
edition of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and today I'm recording from Jacksonville,
Florida. Well, today I took a look at some Cisco Smart
Licensing Utility vulnerabilities. There are two
vulnerabilities that were patched September last year.
Now, shortly after the patch was released, there was also
an exploit released and the exploit is pretty
straightforward for this vulnerability. It was yet
another of these static credential vulnerabilities. So
really all you need to know in order to exploit the
vulnerability is well what these static credentials were
and that's what a blog post that was published a couple
days after the patch came out well revealed. Haven't really
seen much exploitation of this vulnerability so far. However,
today I noticed that we got some significant scanning for
this vulnerability for the particular URL being used.
Then when I looked at the complete request, they indeed
used an authorization header with these static credentials.
This is part of what looks like some kind of botnet.
They're scanning for a number of other vulnerabilities. Some
of these vulnerabilities are basically just looking for
credentials like things like .env files and such being
leaked. But they're also looking interestingly for
another little bit odd sort of video recorder vulnerability.
One of these security camera recorders also has static
credentials. In that case, the credentials are about as
complex as the Cisco credentials. So something you
wouldn't necessarily guess. It's not something like admin
admin, but a little bit more complex. A couple special
characters in the Cisco case. But of course, if they're
static, well, it doesn't really matter how complex they
are once they have been leaked. The official lesson
here is of course patch. The less official version is if
you're buying expensive enterprise software or cheap
security cameras, they have the same type of warner
bellies. So better get ready for it. And Ahnlabs did release
a blog post showing an interesting trick that
attackers are using by loading an old driver. Now we often
have the bring a vulnerable driver technique. That's a
little bit variation of this technique. The idea is that
there are a number of drivers that have special powers in
the operating system. They're as a result digitally signed,
they're as a result digitally signed, so they can't be
altered. However, if they have a vulnerability, well, then
they can be used in order to elevate privileges. That's of
your classic bring a vulnerable driver
vulnerability, where an attacker is using a driver
with a known vulnerability that has a valid signature in
order to usually achieve system privileges. This is a
little bit sort of a different variation of this attack. The
driver in question here is called the truesight.sys
driver. This driver came originally as part of an anti
-rootkit actually, so anti -malware, but had the little
bit iffy side effect where it could be used to terminate
arbitrary processes, even if they were not associated with
a rootkit. And that essentially then led to a
limited privilege escalation, where an attacker was able to
shut down security processes. And with that, they're able to
load additional malware. Now, this particular vulnerable
driver was originally put on Microsoft's driver block list.
Microsoft maintains a list of known vulnerable drivers. And
well, this was one of them now. So it was added to the
block list. The problem here was then that aside from the
block list of not really working the way it's designed
to, but even if it would have worked the way it would be
signed to, it wouldn't block this particular driver, at
least an old version of this driver, because the block list
only goes back for drivers to 2015. And there was a
vulnerable version of this driver version 2.0.0 that was
published before. So that one could still be used. Well,
then the attacker also applied the seropadding trick to
actually modify the driver as they're being loaded. So we're
back to certificate bypass here, issues here that are
also part of these sort of older vulnerabilities. The end
effect is that the attacker is able to load the driver. The
attacker is now gaining privileges to shut down
arbitrary processes. And yes, attackers yet again used this
particular driver to then kill security processes. Microsoft
apparently has added now the old version to their block
list as well. As I said, that's more missed than hit
when it comes to hit and miss with this driver block list.
Lots of reports that they actually don't really work
very well. Hopefully some regular anti-malware and such
will also add these old drivers to their signatures to
hopefully block them from being used. And in security
announcements, we got two updated announcements from
Synology affecting a number of their camera products. Take a
look if there are any new products being added here to
the vulnerable products list that are affected by this. The
vulnerabilities are critical. They are remote code execution
vulnerabilities. They were mostly discovered as part of
the Serity Initiative's Pwn2Own contest. So definitely
something that you do want to address. There's, for example,
some arbitrary remote read vulnerabilities, also
execution of arbitrary code, and then also some machine in
the middle attacks that are being addressed here. Well,
and that's it for today. Thanks for listening. Thanks
for recommending the podcast. If you meet anybody from SANS,
let them know that you listen to and like the podcast. And
any feedback, as always, welcome. Playing a little bit
with different backgrounds and lighting and such or content.
If I say anything wrong or missed something, please let
me know. Thanks and talk to you again tomorrow. Bye.
