Hello and welcome to the Tuesday, February 4th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ulrich and today I'm recording from
Jacksonville, Florida. The DA today wrote up a little
problem that we actually keep having with this podcast
whenever I post it to YouTube. And that's spam, but the spam
is a little bit different in this case. The spam basically,
as so often, says how nice the video is, but then states that
they have a question that they have a crypto coin wallet and
they would like to transfer the money out of that crypto
coin wallet. And then they give you the seed phrase for
the crypto coin wallet. Now, what surprised me when I saw
these was why did they give me the seed phrase? The seed
phrase is essentially the secret key that you should
never leak for your wallet. The DA dove into this deeper
and also found a couple other write-ups about this
particular spam. What happens here is, first of all, the
seed phrase is just a human, readable, easier to memorize
way to express the secret key. So, yes, you can turn that
into the secret key. The problem, however, in this case
is that this wallet is protected with two secret
keys. And the secret key they're giving you is not
authorized to actually transfer money out of the
wallet. So, what they're attempting here to do is for
you to get greedy, attempt to transfer the money out. In
order to transfer money out, you first have to deposit a
little bit of cryptocurrency into the wallet in order to
pay for the transaction fee. And that's what they're after.
They wait for you to actually deposit the additional funds.
And then you realize the transfer out actually doesn't
work. The other thing that sort of made me a little bit
surprised, confused, was that they always advertise the OKX
wallet. Because they say that they're using the OKX wallet.
And at first I thought, maybe they're trying to just
advertise this particular wallet. It's a browser plugin
and such. Nothing really wrong with this wallet. The problem,
however, is that this wallet does not display to you that
this particular wallet does require a different signature
to actually send money out of the wallet. So, that way it's
easier for a victim to fall for the scam if they're using
this specific wallet. Of course, there may be other
crypto coin wallets that have the same problem in not really
providing all the nitty-gritty details about what access you
have to the wallet with a specific key. Interesting
scam. Sorry if you're running into some spam like this on
the YouTube page. I try to be pretty good about deleting it.
If you see anything I missed, please let me know. And then
we got a number of actually two different vendors
releasing updates for wireless access points, wireless
routers. First one is MediaTek. A number of the
vulnerabilities. They're addressing our buffer
overflows in the VLAN module. The problem here is that this
actually would allow arbitrary code execution on the device
itself without authentication. This often happens and it's
not really explained in detail what the exact problem is. But
a very common problem here is that in the 8 to 11 standard,
there are certain fields that have, according to standard, a
maximum length that can be exceeded as you're actually
sending the data. And it's likely an issue like this,
which of course often may have already working exploit, even
though it's not declared here, because these piece of
software often derived from open source implementations
that may have fixed this problem in the past. The other
issue is D-Link. D-Link, there's a new vulnerability
here. That's a remote code execution. Again,
unauthenticated in some of their routers. Sadly, no
patches as they are end of life. We're talking here about
particularly the DSR-150, DSR -250 routers. They no longer
receive firmware since last May. So definitely you must
replace those devices. And Microsoft announced that they
will discontinue the VPN service that was included in
their Microsoft consumer security products. So if you
rely on it, sadly, you will have to find a new provider.
It works similar like Apple's private relay, so in
particular for iOS, macOS device, you still have that
available. Personally, I'm not a huge fan of many of these
sort of over-advertising VPN providers. Be careful what you
pick because essentially you're just creating another
bottleneck for traffic interception if you are using
a specific VPN provider. So trust in the provider should
really be an important criteria as you are selecting
one. And for many home users, actually, VPN isn't really all
that necessary or useful. Maybe if you want to appear to
be in a different country to bypass some movie restrictions
or such. Well, that's it for today. Please let me know if
you liked a story or if I missed a story or if I should
not have covered a particular issue. Thanks for listening
and talk to you again tomorrow. Bye.
