Hello and welcome to the Tuesday, March 11, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, Xavier went out and went
malware hunting again in one of his malware safaris. He
came across another odd API calls. That's actually one of
the tricks that Xavier often uses looking for odd API
calls. The odd API call here was a Windows API call UUID
from string A. So what it does is it takes UUID, Universal
Unique Identifier. These are these long 128-bit identifiers
and then it takes that string and converts it in its binary
format. In this case, it was actually used to encode
malware. So the malware was encoded in UUID strings, 16
bytes or 128 bits at a time. It was transmitted to the
victim in this format and then decoded into its original
binary form using this Windows API call. But the actual
script was written in Python. Turned out to be a Cobalt
Strike beacon. But overall, still important to know that
yes, attackers can use these creative API calls to encode
malware in various formats. And apparently, according to
Xavier, the Lazarus group, the North Korean group often going
after crypto coin, well, has been known to use this
particular trick in the past. And we have a little bit
interesting tricky vulnerability. I mainly want
to cover it because it's a little bit confusing here.
It's a vulnerability in Moxa switches. Moxa makes switches
for factory environments. So a lot of them are used in ICS
and OT networks. The problem here is that this particular
vulnerability, which they call a front-end authorization
logic disclosure vulnerability, that can be
used to bypass authentication and gain admin access to the
switch, well, it was originally disclosed and
patched January 15th. But I saw yesterday actually this
vulnerability come back. I saw a new bullet being issued. So
I was wondering what was going on here. Well, the problem is
that the scope expanded. The original disclosure just
covered the EDS508A series switches. This new disclosure
now covers the PT series switches. So pay attention
here if you're running Moxa switches in your environment,
that everything is up to date and patched. And users of Open
Text Identity Manager Advanced Edition should be upgrading to
version 4.9. The vulnerability that's being addressed here is
allowing the exposure of insufficiently protected
credentials. The impact of the vulnerability is that an
authenticated user can escalate privileges, can get
higher credentials for a more privileged account. This is
usually not something that's considered sort of critical
approach escalation. But in this case, because the product
is an identity management system and is responsible for
often protecting a large number of applications,
certainly something that you should address quickly. Well,
then for any fellow PHP developers out there, if
you're using Livewire, which is often used in PHP to create
good-looking frontends, well, then you may also be using
Vault, which is an API to interface with Livewire. Vault
had just patched remote code execution vulnerability. It
does take advantage of some of the templates here being used
that can be then used in order to inject a PHP code. The
vulnerability description here on the Livewire GitHub is a
little bit of a joke. It's a one-liner, malicious user
-crafted request payloads could potentially lead to
remote code execution within Vault components. Make sure
you are updated to version 1.7 .0 or later. Well, this is it
for today. So thanks again for listening. Thanks to everybody
liking, subscribing, and also leaving good reviews for this
podcast. And tomorrow, of course, don't forget, it's
Patch Tuesday. Well, and talk to you again tomorrow. Bye.
