Hello and welcome to the Thursday, January 30th, 2025
edition of the SANS Internet Storm Center's
Stormcast. My name is Johannes Ullrich and today I'm recording
from Jacksonville, Florida. One of the comments we often
get when we're talking about Python malware is that on
Windows, usually there is no sort of full Python
environment like you have it commonly on Linux. Well, today
Xavier has an interesting piece of Python malware that
actually includes the entire Python environment in the form
of a fake document. Document .zip is being downloaded here
with the Python environment. Also interesting and not
really that terribly unusual, when you start the malware, a
PDF will open. In this case, some sort of generic Garmin
-related PDF. This is usually done to make the user feel
like they opened a document. Probably the pretense here for
delivering of the malware was that this attachment is
supposed to include this PDF document. So if the user now
clicks on the file, which really starts the malware, the
PDF is opened for them, making them feel safe and sound.
While in the background, all of their crypto coins and
other sensitive information is being exfiltrated. Let me have
two updates for Fortinet users. First of all, there is
an exploit apparently for sale now. According to Threatmon,
they posted on X that they saw an exploit for sale on a
Russian forum. This exploit apparently takes advantage of
the vulnerability I talked about yesterday. That's the
interesting remote access via WebSocket bypassing
authentication vulnerability. So definitely make sure that
your devices are patched. It affects FortiOS version 7.0.0
through 7.0.16. The second item is a little bit related maybe,
but Fortinet also notified its users that if you are running
a device without a FortiCloud license, if you don't have an
active subscription, you must update the device within seven
days or you essentially will lose access to the FortiCloud
interface via the device. Interesting strategy here to
really push users to update quickly. Again, this only
affects devices without a subscription. So of course,
the other motivation here is to get users to sign up for a
subscription. The advisory also points out that you can
use the auto update feature in order to make sure that you
are complying with this particular rule. Seven days
sounds a little bit short, but that's the time limit they
give you here to update your devices. And SonarCube
reviewed the open source Voyager package. This is a PHP
package that's designed to manage Laravel applications.
Laravel being the PHP framework. Both the Laravel
framework and Voyager are extremely popular with
millions of downloads. So nice for someone to look for
vulnerabilities here. And they found three good ones. The
first one, probably the most important one here, an
arbitrary file write vulnerability. Next, there is
also a reflected cross-site scripting vulnerability. And
finally, an arbitrary file leak and deletion
vulnerability. In particular, of course, arbitrary file
writes are always critical since they often then lead to
arbitrary code execution. This actually involves polyglot
files, which is always an interesting issue. We covered
that a little bit in class this week. Where it can be
quite difficult to actually figure out the correct MIME
type for a file. Sometimes there are files that identify
as multiple MIME types. It's easy to then mislabel them.
And attackers are apparently exploiting an unpatched
vulnerability in Zyxel devices. This vulnerability
was actually discovered, reported back in July. So it
has been known, has also been publicly known for a while.
Finally, attackers get around to exploit it. So no big
surprise here. What's probably more surprising is that there
is still no patch apparently available for this
vulnerability. And talking about patches, VMware released
a patch for a vulnerability in the AVI load balancer. This is
an unauthenticated blind SQL injection vulnerability. And
VMware assigned it a CVSS score of 8.6. Certainly
something that you do want to patch. It was reported
privately to VMware. So there are no additional details at
this point available. And no known exploit at this point.
Well, and this is it for today. So thanks again for
listening. Thanks to everybody who is sending in links. In
particular, for example, the FortiGate news came in from a
listener. Thanks and talk to you again tomorrow. Bye.
