Hello and welcome to the Friday, April 18th, 2025
edition of the SANS Internet Storm Centers Stormcast. My
name is Johannes Ullrich and today I'm recording from
Orlando, Florida. Today we got another guest diary by one of
our undercredit interns. Jacob Claycamp did write about how
to get started in malware analysis. Of course, we have
plenty of diaries always about malware analysis. Didier and
Xavier most notably are heavily contributing to this.
This is more the beginner's view of malware analysis and
sort of how to get started with malware analysis using a
cloud-based system. A couple of interesting parts here.
First of all, Jacob is using AWS, a free instance, and then
uses Chasm Workspace in order to essentially get a remote
desktop into a container which then runs Remnux. This is
Lenny Zeltzer's reverse analysis environment. All of
this is Linux-based and since it is set up in a container,
it's also easy to reset. And the cloud deployment, of
course, makes it nice and isolated from anything that
you may have going on in your home network. Overall,
interesting setup. And then Jacob is going over a quick
analysis of a redtail sample and how to apply this
particular environment to the analysis of this particular
malware. Interesting write-up and nice step-by-step guide to
help you get started. And then we have a critical
vulnerability affecting the Erlang OTP SSH library. This
affects any SSH servers written in this language. The
vulnerability was found by researchers at the Rue
University in Bochum. Now, the OTP here in Erlang OTP does
not stand for one-time password. Instead, it does
stand for the Open Telecom Platform. This particular
version of Erlang was created and maintained initially by
Ericsson and is often used in telecom-related devices,
routers and the like. So, certainly there is quite a
number of affected devices out there. The CVSS score of the
vulnerability is a perfect 10 .0 because it does allow for
arbitrary code execution without authentication. The
problem is that some SSH messages, some SSH protocol
messages can be sent and executed before authentication
finishes due to this bug. And that then leads to arbitrary
code execution. Now, the user this code executes at depends
on the user the SSH server is running at, at the time it
receives these messages. Definitely upgrade, but of
course, since this is a vulnerability in the library
used to create the SSH server, you may have to wait for
respective vendors to actually release updates here. In the
meantime, the only alternative you have is to disable or
firewall the SSH server. In Belgium, security company
Inviso did release a report with details regarding some of
their recent findings of the BrickStorm backdoor.
BrickStorm has been used in Linux, in particular in sort
of VMware environments, but now they also found a version
of this backdoor on Windows. There are a couple interesting
things to note here. Unlike most backdoors, this backdoor
actually does not have a remote code execution
capability. They say that typically RDP and such is used
instead by the attacker and that they specifically didn't
include a remote code execution capability to evade
some heuristic and behavioral detection that you often find
that would flag any code execution behavior. Instead,
this particular backdoor is able to read, write files from
the file system. It also has some network components that
would allow an attacker to essentially use an affected
system as a pivot to scan other systems in the network.
So certainly a capable piece of malware. Also interesting
as a command control channel, they're using Cloudflare
workers and similar systems that again are less likely
going to trigger alerts. Interesting report and it also
includes some good indicators of compromise and ways and
techniques how you can actually find if you are
affected by this particular backdoor. And OpenAI released
its latest greatest model, GPT 4.1, but this didn't happen
amid some controversy around the security aspects here.
First of all, this model was released without the usual
safety reports or system cards, which typically outline
how this particular model was created to be safe, meaning
not, for example, allowing to create malware. Well, and
apparently some of these safeguards that you often find
in these models are missing from GPT 4.1, making it
trivial to create malware with this model. Interesting
problem here, and I'm not sure if this will be something that
OpenAI will fix in short notice, but definitely we have
seen malicious models, of course, before, but not from
major vendors like OpenAI. Well, that is it for today.
Well, that is it for today, so thanks again for listening,
and thanks everybody who I met here, all of you listeners at
the event here in Orlando, and we'll talk to you again on
Monday. Bye.
