SANS Stormcast Friday, August 1st, 2025: Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform

July 31, 2025

Episode Transcript

Scattered Spider Related Domain Names
A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains
https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162
Excel External Workbook Links to Blocked File Types Will Be Disabled by Default
Excel will discontinue allowing links to dangerous file types starting as early as October.
https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58
CISA Releases Thorium
CISA announced that it released its malware analysis platform, Thorium, as open-source software.
https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, August 1st, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Yesterday, CISA, in collaboration with other government agencies, published an updated report about Scattered Spider. It's not the first time they published a report about this group, but as I mentioned yesterday, they updated some of the social engineering kind of techniques being used by the group, but also included sort of the usual indicators of compromise. And the one part that I was kind of interested in was the new domain patterns that were being used here, like the targetsname-cms.com or targetsname-helpdesk.com. So basically, that would be the company name, then just followed by helpdesk.com. That, of course, matches them impersonating help desks and such. So I was going over our data to see if we do find any names like this in yesterday's data. Realize, of course, that after this report was published, Scattered Spider likely learned about this and may have changed some of their patterns. So I took this also as an opportunity to show a little bit how to use our data here to find domain names like this. So we offer a recent domain feed. That domain feed does allow you to essentially look for domains registered on a certain date or really domains be found on that particular date. Sometimes, depending on how we find them, it's a little bit delayed. And in this case, well, I then basically was just searching for this particular pattern like helpdesk. And there are a couple interesting ones, like in particular this helpdesk -truist.com. You may not be that familiar with that brand, but Truist is a larger bank, at least here in the U.S. I'm not sure what their global sort of footprint looks like. Now, like I said, whenever an attacker uses a particular pattern, is being found out, they tend to change it. So my next step then was also to look at, hey, what other Truist-related names did we find? And there was this cdn -truist.com that was also registered yesterday. And that domain name, of course, does not match any of the patterns in the CISA reports. Could be because this was registered by a completely different group. Neither one of these domain names, helpdesk or CDN, is currently resolving to an IP address. So it's a little bit hard to figure out what they will ultimately be used for. But the lesson I want to get across here is always sort of pivot around. Don't take these advisories too literal when it comes to the indicates of compromise. They're a good start, but then always pivot around and try to find something new, like here that cdn-. And certainly one of the important Threat Intel sort of inputs that you should keep looking at is any new domain names registered with your particular brand. And Microsoft is moving ahead with further reducing the attack surface of Excel. Excel has a feature, if you have ever used Excel, to retrieve data from external documents. These links are consistently being updated in with the latest content from these external documents. Really sort of useful feature. But the problem is that, well, these external documents may have malicious content depending on the file type they are. Now, Microsoft has limited what you can do with some sort of known dangerous file types. But that is now also extending to these external links. So if you link to an external file type that Microsoft considers dangerous, this will stop working as soon as October. Microsoft, in its note here, does also provide some help as to how to figure out what file types are being blocked and how to disable the feature or adjust the file types if you wish to do so. So you have that option. This is really just more or less sort of a default setting that users can then relax if they hopefully know what they are doing. And looking for ways to simplify your malware analysis. Well, the Thorium platform, which is something that Sandia National Labs developed for CISA, is now public. And there is a GitHub repository where you can learn more about this particular tool. Essentially a set of Docker containers that can be used to feed malware to various tools. Supposed to be really simple and fast to use. Personally, I haven't had a chance to look at it yet. If anybody has used it, it would be interesting to hear what you think about it. And if this is a useful tool that improves your analysis. Well, and that's it for today. Thanks for listening. Thanks for liking and subscribing. Thanks for any feedback that you have regarding this podcast. And talk to you again on Monday. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show