Hello and welcome to the Friday, May 9th, 2025 edition
of the SANS Internet StormCast. My name is Johannes
Ullrich and today I'm recording from San Diego, California.
Well, Xavier is on a roll and we got another diary from
Xavier. This time a little SSH trick. The problem here was
that Xavier was provided with a system that only was
accessible via SSH. It had no outbound connectivity. That
was all blocked by the firewall and Xavier still had
to basically reach out to a couple of websites to download
additional tools. This quick solution here was, well, it
just used the existing SSH tunnel to connect back to an
HTTP proxy and from there, of course, back to the world. All
you need with SSH is one single connection and then you
can use it to forward ports and basically tunnel
additional traffic. There's actually sort of another thing
that I've used in the past a couple of times where you just
run a point-to-point connection over SSH. That
gives you essentially a complete VPN via SSH. Not
quite as reliable as other VPN solutions. That's why I
haven't really lately been using it much. But in a pinch,
if all you have is SSH, that's certainly quite useful. And
I've run into situations, for example, while traveling,
where hotel or conference center networks were quite
restricted. And, well, then something like this is
sometimes saved the day. Well, then last week I wrote about
exploits of a Samsung Magic Info 9 vulnerability. And back
then I stated that, well, this vulnerability was actually
patched back last August. Huntres Lab today published a
blog post stating that the patch back from August
probably didn't work or that there is a second very similar
vulnerability. Either way, even fully patched copies of
Samsung Magic Info 9 are still exploitable against the proof
of concept that was published and that the exploit attempts
that we have seen are based on. So if you're using Samsung
Magic Info, which is typically used to manage the content on
Samsung advertisement signage displays, well, better make
sure that your install of Magic Info is not accessible
from the Internet. I'm not sure if it's possible to just
shut it down while you're not making any changes. But either
way, the current latest version of the software is
currently being exploited by botnets like Mirai. When it
comes to endpoint detection and response systems, there is
an ongoing battle between attackers and defenders where
attackers are attempting to corrupt or disable the
endpoint detection and response system. Now, there is
a new exploit that has now been seen in the wild being
used against Sentinel-1 doing just that. This was observed
by Aeon and they observed this as part of their incident
response practice. The trick that the attacker exploited
here was against Sentinel-1 that Sentinel-1's upgrade
process apparently wasn't properly protected. So by
disabling and corrupting the update process, it was
actually then possible to disable the endpoint
protection on a particular host. Sentinel-1 has published
some guidance about how to protect yourself from this
particular attack. So if you're using Sentinel-1, take
a look at the Aeon blog and see how to apply these
protections. Well, then we have another incomplete patch
to report about. ComVault, I think about two weeks ago,
they patched a vulnerability. watchTowr came up with a
great write-up of the vulnerability, including proof
-of-concept exploits. Well, Will Dorman is now reporting
that he tried that proof-of -concept exploit against a
fully patched version of ComVault and apparently it
still works. So double-check your backup systems and make
sure that you have them isolated. I haven't seen
anything yet about a new updated patch for this
particular software. Well, this is it for today. So
thanks for listening and talk to you again on Monday. Bye.
