Hello and welcome to the Thursday, February 27th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, today we have a guest diary by
one of our undergraduate interns, Robin Zaheer. Robin is
writing about the use of ephemeral ports in order to
download malware. This is something that happens quite
common where the web server that the attacker is
connecting to in order to download additional malware is
not listening on port 80, 443, not even port 8000, but
instead on a very high port like 60,000 something or such.
This is certainly something to look for where you're looking
for anomalies, looking for HTTP traffic or HTTPS or TLS
traffic for that matter on these high ports. You have to
be a little bit careful. I've particularly lately more and
more seen it with web service and such where they sometimes
listen on these high odd ports in cloud environments. Also, I
think in part also because of the overloading of IP
addresses, people sometimes use these sort of random high
ports. They're even sometimes negotiated dynamically. So
where you first have some kind of handshake that then defines
what high port is being used. This used to be more common
like for a voiceover IP and for online gaming. But I've
sadly seen this more and more with sort of more mainstream
applications as well, which of course makes a detection of
this kind of attack activity more tricky. Still something
to look for. And if you can definitely block outbound
connections on these high ports. Again, just be careful
that you're not disrupting any important traffic. Well, and
then we have actually two stories that are related to
attacks against developers. One of my favorite topics. I
definitely have to cover it here. First one is a malicious
theme for Visual Studio Code. What makes this theme
particularly problematic is that it appears at least 4
million users have downloaded it. And the respective author
of this theme and a couple others is one of the most
prolific authors on the Visual Code store. Now, this comes
from Amit Assaraf. If Amit did not disclose yet what exact
the indicators are that made them believe that this
particular theme is malicious. The theme was called the
material theme. And one little problem here is that when
you're applying a theme like this, you're thinking you're
changing the look and feel of the software. In this case,
Visual Code somewhat. But even a theme that pretty much just
changes colors and such often has the ability to also
execute code. And with that, of course, also execute
malicious code. It will be interesting to see once Amit
is coming up with more details here. At this point, Amit is
asking anybody who has this theme installed to contact
them for more indicators of compromise. Now, there are a
couple listed here, essentially the name of the
theme files that you would have downloaded. The
supposedly malicious theme is no longer available in the
Visual Studio Code store. And the second developer store we
have comes from the Bybit. I hope I pronounce this
correctly. A breach. Probably have heard of this where Bybit
lost something like $1.3, $1.4 billion in Ethereum to a
likely North Korean threat actor. Well, the problem here
apparently appears to be a compromised workstation of
SafeWallet developers. SafeWallet is a company that
provides web applications to basically facilitate the
signing of these Ethereum contracts. And JavaScript was
replaced in their application that specifically targeted
Bybit. So the next time Bybit went to the site, signed a
digital contract, this malware intercepted this and then
altered the contract. I just went to the SafeWallet site
just because I wasn't really familiar with the site. I'm
not big into cryptocurrencies. And know that they now have a
pop-up before you go to the site that specifically asks
you to verify the contract before you sign it. So I guess
that's how they are trying to counter this a little bit. I
think just yesterday I talked about how important it is to
keep your development and production infrastructures
separate. So a compromise of an individual developer's
machine cannot compromise your entire architecture and
infrastructure. We've had this happen a couple times in the
past where compromised developer machines sort of
basically took down the entire organization. So please try to
avoid this. Have some kind of privileged access workstation
or whatever you want to call it that are specifically
designed to just be used to, for example, manage things
like updates, cryptographic keys and such on production
environments. And then two other vulnerabilities I think
you should be aware of. First of all, two vulnerabilities in
rsync that could allow someone to take over a server
running rsync. Definitely something to be aware of.
Usually it's not really exposed like this to the
network. And then secondly, a vulnerability in the OpenH264
codec. If you're watching the video here, you're probably
using the H264 codec. It's one of the big codecs being used
to encode video. So definitely that is probably affecting a
bunch of different software. And yes, it could lead to
remote code execution. Well, and this is it for today. So
thanks again for listening. And thanks to everybody who's
recommending this podcast. Just saw a nice post today on
LinkedIn, I think. So thanks a lot for that. And of course,
always good to click the like or five star or whatever your
particular podcast app offers or leave a nice little review.
Thanks and talk to you again tomorrow. Bye.
