Hello and welcome to the Thursday, February 13th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and I'm recording from
Jacksonville, Florida. Well, today we got a diary from I
Jacksonville, Florida. Well, today we got a diary from Yee
Ching and Yee Ching is writing actually about a scientific
paper that he and his colleagues are about to
publish that deals with smart city infrastructure. Smart
cities, of course, a big deal. Yee Ching is from Singapore,
which has heavily signed up to implement smart city
technologies. And it's kind of nice to see that people are
already thinking about how to defend smart city technologies
and how to securely implement them. And it's a little bit
sort of what Yee Ching's post is about. They look in particular
at scope. SCOPE is an ontology in order to describe smart
city threats. Now, just for those of you who don't know,
ontologies are essentially used to define a standardized
vocabulary when you're dealing with a subject matter. You
can, for example, see like the MITRE ATT&CK framework and
such as an ontology. SCOPE is specifically targeting smart
cities. Sadly, well, what Yee Ching found, it's not quite as
applicable as they hoped yet for smart city threats. And
for more details, well, I'll refer to Yee Ching's diary. And
Microsoft observed an interesting technique being
used by North Korean attackers against victims in South
Korea, in particular targeting more sophisticated users. A
lot of the times we're talking about phishing and attacks
like this in social engineering. Training often
focuses more on non-technical users because they're often of
the more likely target here. But of course, more
sophisticated users, system administrators and the like
are a much more valuable target. So attackers are
spending more time and effort actually getting through to
these targets. That apparently is what's happening here where
the attacker is first establishing a relationship
with the victim in the form of emails claiming to be
associated with the South Korean government in this
particular case. And it all then accumulates in the
attacker sending instructions in the form of a PDF how to
solve a particular problem under a system. But these
instructions then essentially result in actually running a
PowerShell command that will install a backdoor. So this is
a very dangerous attack if successful, because now you
have an authorized administrator in your network
running a PowerShell command, which may not necessarily
trigger an alert. When you're alerting on PowerShell, you
often look for users that don't execute PowerShell as
part of their day-to-day work. But of course, an
administrator like this may routinely run PowerShell
commands to change configurations and the like on
systems. So this is easily going to slip under the radar.
Be aware of these attacks and definitely something if you
are doing more specific training for these types of
users, something to include in the training. Given that this
is now a public technique, I wouldn't be too surprised if
you wouldn't see this even like from organized crime and
the like being used in order to infiltrate networks. And we
also have a few vulnerabilities to talk about.
The first one is remote code execution vulnerability in
Vazuu server. Vazuu is a log monitoring, endpoint
protection system. It's an open source system, but it
does offer an API. And this API apparently suffers from
one of those ubiquitous deserualization
vulnerabilities, which then led to this vulnerability.
There is no authentication required. Anybody who is able
to access the API, which hopefully is only allowed to
be accessed from inside your network, could potentially
exploit this vulnerability. Then we have several
vulnerabilities in the Palm module for smart card
authentication in Linux. The vulnerabilities essentially
result in authentication bypass, which of course is a
critical vulnerability. Also, CVSS scores here in the high
nines for these vulnerabilities. Some of these
vulnerabilities may be rather trivial to exploit. It's a
little bit surprising. It took so long to have them found.
For example, if there's an error condition, the error
condition is ignored and you're automatically logged
in. Also, some of the constraints for certificates
and such are not observed correctly. Definitely
something that you need to address quickly. And I would
think by now you will find some updates just via your
normal Linux distributions update channels. But then back
to the friends of the show, as I call them, for all the
content they're providing. Ivanti has released their
February update. In particular, a number of
critical vulnerabilities are being addressed in Ivanti
Connect Secure, but also other Ivanti products are affected.
And well, that's it for today. Just a quick note about
yesterday's podcast. I mentioned the iOS, iPadOS
patches. Well, there was also a macOS update, but it did not
address any security patches. There was a question that came
up from a couple of listeners. That's it for today. Thanks
for listening and talk to you again tomorrow. Bye.
