Hello and welcome to the Friday, February 7th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. And Xavier today wrote up an
interesting anti-debugging system that he found in a
Python script. It is labeling itself as a multi-layer anti
-debugging system, actually an unbreakable multi-layer anti
-debugging system. It's implemented in various threads
that run in parallel. That in itself of course makes it a
bit more difficult to figure out what's going on here and
to disrupt these anti -debugging techniques. Some of
them are sort of well known, for example checks if the
program is being traced. But also some interesting things,
for example, overwrite the file itself with randomized
lines in order to prevent hashing. It also does
calculate a checksum of its memory footprint ever so often
to detect tampering. Interesting techniques here,
of course, they can all get bypassed, in particular in
something like a Python script where it's not that difficult
to go into the file and make changes to the file. Like for
example to disable some of these techniques. And Xavier
is going over some of the other sort of interesting
techniques here as well. There are about a dozen or so
techniques in total that are being employed by this single
piece of matter. When it comes to remote management tools,
there's often a fine line between which tools are
malicious and which tools are beneficial for an
organization. And that line is usually not defined by the
tool that's being used but by who is actually using the
tool. We often see, well most famously, tools like VNC and
RDP being used by attackers in order to remote control
compromised systems. Silent Push has a good little update
on how Screen Connect is currently being used. Again, a
legitimate tool that's often used by administrators to
remote manage systems but is also used by attackers. And
Silent Push is listing some of the techniques they are
recently seeing here and also some indicators of compromise
that you may find helpful. In general, when it comes to
these remote management tools, you must control them. Only
allow authorized tools to be installed. Attackers often
install legitimate tools like Screen Connect or VNC to
essentially hide the tool because it's often then not
really recognized as malicious as it's a legitimate tool.
Also, of course, on the network you must control what
kind of protocols are being used. That tends to be kind of
difficult these days because all of these tools typically
at least have a mode in which they can just tunnel over
HTTPS natively without sort of installing any additional VPN
software. And Kaspersky published a blog showing they
found malware that steals crypto wallet recovery phrases
from both Android and iOS. Of course, different malware but
apparently coming from the same source using similar
techniques. Both malware looks for images then runs OCR on
these images using the Google machine learning library both
on iOS and Android and then exfiltrating any crypto wallet
passphrases that they may find. The affected apps have
already been removed from respective app stores but of
course, as always, follow up and copycats once an attack
like this becomes known. In this particular case, they
included the malicious functionality into a software
development kit. Interestingly, the iOS app
they found was a Chinese food delivery app that may have
just used the particular software development kit. Not
sure if the entire app was functional or whether it was
just malicious but very likely that someone who is looking
for this particular food delivery app would actually
fall for this scam. And then we got a couple of patches to
talk about before the weekend. First of all, Cisco released
an update for its identity services engine ISE. It fixes
two vulnerabilities that do allow arbitrary code execution
as well as authorization bypass. And we got a monthly
update from F5. F5 fixed single TLS related
vulnerability. This vulnerability I don't think is
that super critical. It's a TLS sort of session resumption
vulnerability. Could be used to bypass authentication via
client certificates, which of course is interesting. Does
require that you have a TLS does require that you have
named virtual hosts, which of course is probably rather
common. Well, that's it for today. Before I sign off, a
little bit of homework. I'm looking for some feedback
here. We're just about a month into doing the video part of
the podcast. I'm still refining some of the details
here, of course, but the two sort of goals I set myself
here is, first of all, I don't want to make the audio only
version any worse. So let me know if I accomplished that.
And if the video version, which I know actually has
picked up some viewers across different social media
channels in particular, if it does help you, if there's
anything that it could make a little bit better here, of
course, can really do much more sort of from a production
value here, just because time is limited to produce
something like this daily. And eventually I'll start
traveling again and has to work while on the road as
well. That's it for today. So please send me any feedback
and talk to you again on Monday. Bye.
