Hello and welcome to the Monday, February 3rd, 2025
edition of the SANS and Storm Center's Stormcast. My name is
Johannes Ullrich and today I'm recording from Jacksonville,
Florida. If you have ever built a homelab, a cyber
range, or maybe a little malware analysis system, aside
from setting up the basic systems around it, installing
operating systems and the like, one of the challenges
sometimes is to adapt the particular lab to a specific
task, like setting up domains, IP address and the like, to
kind of simulate a little internet, for example, to act
as command control servers for any malware that you're
detonating inside the lab. Well, Richard set up a number
of PowerShell scripts to accomplish some of that. He
will write a few diaries about this. The first that he just
published deals with DNS settings, how to configure
host names and the like in this lab. It's a PowerShell
script, so for everybody here who likes to set this up in
Windows, perfectly suited also to set up Active Directory and
the like to match whatever environment you would like to
emulate. Real neat little tool, so take a look at it and
provide any feedback to Richard. And there is still
quite a bit of talk about security issues around
DeepSeek. I mentioned last week how some of their backend
databases leaked. Of course, one of the problems they're
struggling with is dealing with the increased surge in
traffic that they are receiving. They allege that
there may also be some denial of service attack involved.
Now, as a result, they apparently have sort of
reworked their infrastructure a little bit. That led to some
issues, at least over the weekend, I noticed, where they
had a bad certificate. The reason the certificate was
marked as bad was it was actually issued by Huawei
Cloud. I'm not sure if in China that's considered a
trusted certificate, but at least my browsers in the
common certificate authority database does not include this
particular certificate authority. Since then, this
has been fixed. It's now actually hosted behind
Cloudflare and appears to be using a certificate issued by
Google, at least when I'm connecting to it here from the
US. Now, all of this confusion and limited availability has
also opened the door somewhat for scammers. There have been
apparently a number of scam lookalike websites and such,
essentially phishing that was used to distribute malware.
The trick that these websites are implementing is that they
use a lookalike website of DeepSeek. So, the site looks
pretty much like DeepSeek with one important difference. On
the real DeepSeek.com website, well, to actually get started
playing with the AI model, you click on Start Now. That part
is replaced on the fake website with a download
option. And, of course, that then leads you to malware.
However, as always, if something hits the news big
like this, in particular if they're struggling with
keeping the site up, that's always something that
attackers are paying attention to and definitely something
that you need to be ready for and also something probably to
share with your users that want to play with tools like
this. And PyPyPy announced that they're introducing a new
project state for developers. Developers are now able to
mark a project as archived. The meaning behind archived is
just that, well, the project is no longer being maintained.
There are no longer any updates to be expected for
this project. As is, the project can, of course, still
be used, but people should probably migrate to something
else. Developers are encouraged before they archive
a project to release a final release. That explains a
little bit why the project is being archived, maybe what to
do next if you don't want to use this particular library.
But overall, it looks like a nice step in the right
direction. They're working sort of on more of these
states of projects that developers are able to use to
indicate essentially what's the exact sort of support
status of a particular project. And the FDA, as well
as CISA, warned about an interesting backdoor in the
Contec Health CMS 8000 patient monitor. I was a
little bit wondering whether or not I should include this
story because it's a fairly limited audience here that,
you know, basically hospitals and such that may be running
this particular patient monitor. But I think this
event has a bit sort of further reaching implications.
One of the things I do want you to consider is to read
through the indicators of compromise here, particular
methods being used to implement that backdoor, and
then think about how you would detect a similar backdoor in a
device on your network, whether it's a medical device
or any other kind of device, and what kind of capabilities
you have to essentially do a fingerprinting of a device to
figure out what particular connections are normal for
this device and which connections may raise concern.
In this particular case, the connection actually went to
China, which I think did substantially contribute to
the detection of the backdoor. In many cases may not be the
case where just a US-based cloud provider is being used
here in order to implement a backdoor like this. So try to
figure out, do you know what IP addresses your devices
routinely connect to? Well, and this is it for today. So
thanks for listening and talk to you again tomorrow. Bye.
Bye.
