Hello and welcome to the Thursday, February 20th, 2025
edition of the SANS Internet Storm Center's
Stormcast. My name is Johannes Ullrich and today I'm recording
from Jacksonville, Florida. If you're into gaming, then you
probably are somewhat familiar with the cat and mouse game
between cheaters in online games and software trying to
prevent cheating in these online games. Now, the tricky
part here is that quite often software that claims to allow
you to bypass some of these cheat protections actually
turns out to be malware. And Xavier ran into a case like
that. He did find a particular piece of software that called
itself XING Code Unblocker 2025. XING Code is one of
these anti-cheat softwares. So this apparently tries to
unblock the anti-cheat software. At least that's what
it claims to do. However, what sort of attracted Xavier's
attention was not the cheating part here or the anti-cheating
part, but instead that these executables had PowerShell
code embedded in the code. And that, of course, well, looked
very much like malware, which it then turned out to be. The
XWorm is what Xavier identified it as. Interesting
obfuscation technique. And I think Xavier is still looking
for some help here to really identify everything that's
happening here with this particular malware. There are
links to the virus total copies of the malware in the
diary. Well, and then we got some interesting news from
Microsoft today regarding some real breakthrough advances
when it comes to quantum computing. And, of course,
that's always one thing to watch. Everybody's sort of
afraid of. You know, when do we have to switch to quantum
safe ciphers from a security point of view? And this is
sort of one of those breakthroughs that may
significantly accelerate that deadline. So definitely
something to worry about and to watch. Microsoft calls this
new, essentially, processor that they developed the
Majorana One chip. And the name comes from a specific
particle they're using here. Actually, it's not sort of a
normal particle, but really sort of an assembly of
particles that's constrained on the chip by a very tiny
wire that essentially limits how this particle can behave.
So this is not sort of your regular conductor or anything
like this. They call it a topological circuit. Lots of
little bit salesmanship here in the article. But underneath
it all, there is a real breakthrough here in having
the ability to build quantum computers with possibly
thousands of qubits with low error rates. These are really
kind of the things that we're missing from quantum computing
so far and probably make breaking of encryption
algorithms that are not quantum safe much more
realistic than what we had before. So definitely look
into these algorithms. I think that's the first time for me
that I'm really worried that within the next five to ten
years, we do have something like this available in
probably Asia's cloud for cheap for everybody to use
that could break potential ciphers. We'll have to see
what details work out to be in once there's some more
independent testing of these circuits. But this certainly
looks like they moved it sort of from the research phase
where it worked once to the engineering phase where they
get to work it repeatedly. Well, and then we have some
interesting threat intelligence coming from
Google. Google is observing what they consider a Russian
-linked threat actor phishing signal accounts from Ukrainian
victims. And this is, again, one of these examples where
the user interface does not really communicate well to the
user what's happening behind the scenes. Signal uses QR
codes for a number of purposes. One purpose is to
easily communicate to a user the address for a group
channel. So if I would like to invite you to my group
channel, I would send you a QR code. You scan it with your
device and then you're a member of the group. However,
there is another more critical thing that you can do with QR
codes, and that is linking a new device to your account. So
what the threat actor does here is they're setting up a
new device for signal. That new device will display a QR
code to be scanned by a device that's already connected to
signal so the two devices can share the same account. And
that's exactly what they're doing. They're taking that QR
code. They're sending a message to the victim claiming
that this is their new group channel. And then when they're
scanning that QR code, they're not actually connecting the
group channel. Instead, they're linking their account
to the attacker's device. So the attacker will now see any
future messages being sent to the victim's signal account.
This, of course, is not breaking any of the encryption
or sort of integrity of the signal communication channel.
It's, again, one of these human interface issues. Signal
apparently has released an update to address some of
that, make it more obvious what's happening here. Haven't
played with it yet to see how different it is from the old
user interface. Well, just a quick update here without a
link in the show notes. But I just saw that Sysa added a new
Fortinet and Palo Alto vulnerability to their
exploited vulnerabilities catalog. I think these are
vulnerabilities I already talked about. So I'm not going
to cover it here any further. But with all these
vulnerabilities in these devices, it's always hard to
keep them apart. Well, that's it for today. Thanks to the
users who noticed the green tint in yesterday's video. I
think there's a defect in the camera I'm using. Still
experimenting with that. Let me know how it goes. I'm not
that great with color. So trying to do a little bit
trial and error here. Thanks and talk to you again
tomorrow. Bye.
