Hello and welcome to the Friday, February 28th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Xavier today published a quick diary
with a new version of the NJRAT malware that he found
and well NJRAT in this example is taking advantage of
Microsoft Dev Tunnels. This is activity that may go unnoticed
because it is a legitimate service. Sometimes as I've
described living off the cloud attacks but essentially Dev
Tunnels are meant for developers to help test web
services but of course they can also be used to relay
other traffic like in this case the exfiltration of
credentials. The domain to look for here is devtunnels
.ms, MS for sort of Microsoft. This particular domain is
exclusively used for these Dev Tunnels and well they're
called Dev Tunnels because they're used for development
not necessarily for production software. So unless you are
actually actively developing software using Dev Tunnels you
probably shouldn't see that domain network which makes a
pretty good indicator of compromise here something to
go hunting for. And researchers at George Mason
University came up with an interesting method to subvert
the Apple MyFind network. This is the network that's being
used to track AirTags and other Apple devices. In order
for a device to be tracked it needs a valid public-private
key pair. The public key is then being used to essentially
send the lost message that's then being received and
relayed by various Apple devices that are capable of
participating in this MyFind network. The problem that
these researchers have discovered is that it's
actually not that difficult to come up with a valid key pair.
So Trojan could infect a random computer that's capable
of participating in Bluetooth low energy which of course not
pretty much any mobile device is these days. Definitely
desktops and such usually have some kind of Bluetooth
capability. And then they have to create a valid key pair for
the device which they figured out can be done with a
reasonable effort. They used one of these higher-end NVIDIA
cards. I believe the H100 card. But they reckon it's
about a $5 worth of computing time effort if you do it in
the cloud for example to come up with a valid key pair. And
that advertisement of a lost device is now being relayed by
Apple devices for the MyFind network and allows the
geographic location tracking of the compromised device.
Apple has released a patch in the latest version of iOS in
18.2 to prevent relaying these messages. Basically added some
additional validation of the keys to make them more
difficult to spoof. Of course as long as there are still old
devices out there they will relay these messages and the
exploit would still work.
Well yesterday I talked about the injection of malicious
JavaScript that led to this large cryptocurrency theft.
Today a little bit something similar. Cross-site scripting
being used in order to inject malicious JavaScript into
websites that are using these 360 degree virtual tours.
Cross-site scripting vulnerability is basically
used here to persistently inject that JavaScript. Oleg
Zaitsev did come up with details behind this attack.
Currently it's I guess luckily just being used to advertise
porn websites. So nothing too malicious yet. But given that
this is often used sort of on realtor websites or such it
could also be used for more malicious purposes. Like I see
a lot of sort of busy email compromise attacks and such
against realtors, realtor websites. So there's certainly
room to grow here for this particular attack. And the
particular library that's vulnerable here is called
Krpano. And again it's been used for these 360 virtual
tours. Well and it's Friday again so we do have another
sans.edu student here to talk about their research paper.
Ben could you introduce yourself please? Hi there my
name is Ben Powell. I'm a senior, excuse me, a principal
security engineer. And I've been in cyber about 15 years
at this point. I started and worked my way up through the
military and then separated to do some contracting and then
now working in the private sector. Yeah and your paper I
think was about well one of the hot topics that probably
many are worried about. And that's kind of ransomware and
how to defend against that. Can you explain a little bit
what aspect of ransomware, that big topic you covered?
Yes. So I'm working as an incident responder, have seen
quite a bit of ransomware and I am often surprised at how
payloads are executed and how ransomware lands on the
systems. And so I was curious with some penetration testing
experience also. How can we as network defenders do a better
job of preparing ourselves for sort of the inevitable? You
and I both know it's not going to go anywhere as long as
companies are paying the ransom. It's just going to
continue to be present. Yeah, always figure ransomware, they
figured out it's actually more valuable to steal the data
than to delete it or sell it to someone else. You're the
only one who really wants those baby pictures.
But yeah, so you of course, you're looking at corporate
environments, not necessarily at people's personal pictures.
And you looked at different EDR options. So what were
these EDR endpoint detection response options? So really, I
kind of targeted my research around small businesses, maybe
teams that don't necessarily have a large security staff.
And I was interested in kind of a name brand product. So I
shot for Microsoft Defender. And within the Microsoft
Defender world, there's a boatload that's specifically
focused on Microsoft Defender for endpoint. And excuse me,
Microsoft Defender for business, because that one was
focused with companies that had 300 people or less. So my
thought there was this would kind of definitely hit that
small business environment. Not everyone needs a full
-blown Microsoft 365 license. And the second option I looked
at was Wazoo, open source. I'll call it an integrated
product. It provides XDR as well as a SEM. So there's
almost an auto-ingestion portion where you don't
necessarily manage the – you don't look at the data like
you would in Defender. You look at it much more from like
a Splunk or Elastic perspective with the ability
to create custom searches and look at basically all of the
event logs off of the machine rather than the Microsoft
Defender side where you're only kind of looking at those
threat logs. Yeah, and I've used both of these products. I
think they are both valid. Like you said, they really hit
that small, medium business market, both of them. What are
some of the big differences you found when looking at
these products? Well, I'll start with Wazoo first. The
big difference right there is having the ingestion. So you
have – you deploy the agent. The agent then calls back to
the indexer. The indexer is going to correlate – not –
excuse me, not correlate – index all of the logs for you
to create a common language of all of the file types and log
data values. And then from there, you actually search
against that rather than the Microsoft side where you
deploy the agent and it's looking at those logs locally
and calling out to the cloud -based console. So with Wazoo,
you needed an additional internal device. So having
that server locally, which I will say have seen fairly
recently some issues where companies or clients don't
necessarily have that integrated logging, the
centralized logging or cloud -based logging. And keeping
all of the logs local is not recommended in today's day and
age. Yeah. I know it's a common issue. The advantage,
of course, of having all those logs is that you have
additional context in case something happens. In
Microsoft Defender, do you get some of that context from
Microsoft or is it really more of that red, green, light bulb
thing? You get a good bit of data from Microsoft. They will
go ahead. Microsoft will categorize threats. One of the
big differences was the rule technology or the rule
creation. With Microsoft Defender for Business, you
were unable to create any customized detections. So you
were really kind of left with what Microsoft deemed to be
threats. With Wazoo, on the other hand, you had the
ability to write your own YARA rules. And taking those YARA
rules and deploying them creates a lot more detections
that you can get out of that system, while also being
somewhat a bit more manual, needing to find a rule set,
needing to make sure it's updated, and doing kind of the
maintenance on that. Whereas Microsoft made it a lot more
just plug and play, if you will. Yeah, I think that
customization part is really something, just from my own
experience running Microsoft Defender, the transcript for
the podcast often triggers the suspicious file rule. Not sure
why, but maybe talking about malware or such will cause
that. But Wazoo, similar, it has, I forgot which it was,
there was one common Linux binary that last year I ran
into that Wazoo, for whatever reason, considered malicious.
And it was a well-known false positive. Now, in Wazoo, I can
go in and change the rule and make it stop alert on this.
And then, of
course, I can
go in and change the rule of mind, because I can't change
the rule of mind, because I can't change the rule of mind,
because I can't change the rule of mind. Yes, it's
definitely a big problem with that side. And I think, back
to what you pointed out, it was interesting, because even
just on my base installation of Windows, importing the tool
I used for these detections, Atomic Red Team, to create
some of that activity, Microsoft Defender immediately
started throwing flags just upon the installation.
Whereas, Wazoo, on the other hand, you needed to go in and
specifically tell it to detect on this activity and detect on
this file type. Yeah, I think Wazoo, in general, is not that
great in sort of that real -time detection as stuff is
being uploaded on the system. That doesn't ever seem to be a
good component of it. But, yeah, now, as far as blocking,
did Wazoo do any blocking or did it just do alerting? I did
not get any blocking out of it. I did just alerting,
focusing on really kind of a default installation, if you
will, back to the scenario of this being a very small shop,
maybe not without a security team. So having kind of the
built-in detections from the Microsoft Defender side was
really a big pro if I was looking at the two solutions.
And with Wazoo, you do need a good bit more technical
expertise to get the rules created, to get the rules
written and deployed correctly. One slight mishap
in the logic, if you had a quote or a comma in the wrong
place, then you definitely would not detect on what
you're wanting to. So with lots of flexibility comes lots
of responsibility in getting it right. It's the usual
issue. Yeah, great. So the paper, is it already in the
reading room? It's already uploaded? Yes, it is in the
reading room and uploaded. Okay, good. So I'll add a link
to the show notes. Any final words? Are you using Wazoo or
Microsoft Defender? Can you say what you're using right
now in your day job or are you using both? In the day job,
we're using Sentinel-1. So it's something, yeah, totally
different. Definitely. But I would like to leave everybody
with the Atomic Red Team was the tool I used to test the
detections. So having an internal team or having
someone who is familiar with that, it's very simple to
deploy and create some of these activities. So as
security defenders, we can definitely make significant
strides towards blocking out very common ransomware, even
with very common threat actor tactics through using tools
like this. Excellent. Yeah. Thanks for joining me here.
And thanks, everybody, for listening. Thank you.
