Hello and welcome to the Friday, November 14th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Purple
Team Operations. And today we do have two diaries I should
talk about. First one is from Brad Duncan and he writes
about the latest regarding the SmartApeSG campaign. This is
a campaign that usually advertised itself via fake
browser updates, but lately has jumped on the ClickFix
bandwagon. And that has overall been sort of a huge
thing where we see more and more of these fake captchas
that are tricking victims into installing malicious software
on their system. In this particular case, it starts out
with a compromised web page. Inside that web page, the
attacker will add some JavaScript to then redirect
the user to the click fix exploit, which is in this
case, as you see, sort of a cloud flare lookalike capture
that then tricks the victim into installing or basically
running a malicious PowerShell command. And that PowerShell
command will install additional malicious software.
As usual, Brad provides plenty of indicators of compromise
here with his diary, including packet captures to see how the
attack really unfolded and hopefully helps you detect
some of these attacks in your own network. The second diary
comes from Xavier. And Xavier gives us an update of the
forum book of Malware. Another very popular piece of Malware
that we haven't really talked much about lately. This
particular example arrived in the form of an email
attachment as a zip file. The user was then tricked into
extracting the zip file and executing the Visual Basic
script that was included with the zip file. Xavier, in this
particular example, focuses on the obfuscation techniques
being used here. One interesting tidbit is, for
example, the avoidance of the sleep function, which is used
to delay the malicious action of the command. That's often
part of signatures, this sleep function, because it is often
used for delaying the execution. But here, by
putting, well, a wscript.sleep into a little loop, they
basically get the same effect as a longer sleep function. It
may trigger some signatures. Also, later, then, some
additional PowerShell obfuscation, again, to evade
signatures and some of the simple protection mechanisms
against these types of malware. In the last few
years, there has been a big push to replace CC++ with Rust
when it comes to programming, in particular system
components. This latest vulnerability illustrates some
of the dangers behind it. Rust, of course, being a
memory-safe language, it eliminates some of the memory
allocation issues that you often run into in CC++, like
buffer overflows. But, of course, there's more to
security than memory management. This example here
with Sudo RS, which is the Rust version of Sudo, is sort
of an example here. Sudo, of course, has a rich history of
vulnerabilities because of its complicated operating logic.
And it's not so much the buffer overflows. I think it
had some of them as well. But often the complexities of just
managing these different permissions are an issue. And
there are two interesting vulnerabilities that were
patched in Sudo RS. And the first one is where the
authenticating user is not properly recorded in a
timestamp. So you may basically get different timing
and sort of these reauthorization issues that
you have with Sudo. The second one is, I think, really
interesting. And this is sort of a password reveal.
Essentially what happens here is if you type your password
as you invoke Sudo, well, the password is not visible. But
due to this vulnerability, if an attacker can disrupt you
from entering the password before you hit enter, they can
then basically trick the system to reveal the password.
Interesting vulnerability. And that's exactly sort of some of
these odd little logic issues that are often lost as you're
translating from one language to another. So if you are
currently undertaking sort of one of these big conversions,
take a look at some of these vulnerabilities and see what
problems others have run into in trying to do these CC++ to
Rust conversions. Well, and I almost missed it. I didn't
realize it's already November and time for the SANS Holiday
Hack Challenge. So I have with me today Chris to talk a
little bit about the challenge. I'd love to,
Johannes. Yeah, this is, of course, the SANS gift to the
community every holiday season. It's a game that we
love building. We hope everybody loves to come and
play and learn. And it's new every year. It's a new set of
challenges. And this one especially is focused on micro
challenges, especially at the beginning. We want people to
begin, hop in, and be able to accomplish a few things right
off the bat. And that's really a great learning opportunity.
I played it last year. I haven't played yet this year.
I haven't gotten around to it yet. So these micro challenges
are kind of little small things that you can sort of,
even as a beginner, solve? Or is that sort of a little bit
the goal here? Yeah, absolutely. The first few are
pretty straightforward. So just maybe the basics of
networking, the very basics of firewalls. And you're just
moving blocks around visually in a web page. So it's made
for everybody. Bring your marketing person. Bring your
manager, right? There's something for everyone, for
sure. Yeah. And really, for people that could start in the
industry, could start with cybersecurity, probably a
great way to sort of have some fun here. I hear there are
also prizes that you have for the challenge. There are
indeed. Indeed. Yeah. So it's open and free all year long.
But right now, during the competition period, so now
through January 5th, if you submit one of the very best
solutions to the holiday hack, then you could win access to
SANS Skills Quest by NetWars. That's an online learning
platform or even a free SANS course. Wow. That's quite
substantial prizes there. But even if you don't win, I think
you're still winning by just learning. Can you tell us a
little bit sort of some of the challenges? Maybe give us a
little bit of a preview of what to expect there? Or
what's the storyline this year? Yeah. Yeah. So I love
having a storyline. I love learning and playing. You
know, whenever I'm working with people who are newer to
cybersecurity, I always encourage them to go and play.
And this is a great way to do that. So the storyline here,
we've got some gnomes who are up to something and there's
someone guiding them. Interestingly, I think for
somebody who's been doing this for a while, it's a throwback
to our game 10 years ago. So when I first played the
holiday hack, it was in this neighborhood and we're back in
that neighborhood. But now with 3D graphics and you can
rotate your view with Q and E keys, it's kind of
interesting. But challenges go from some of the basics of
cybersecurity all up to some more complex challenges for
the pros. So things in cloud, we have some LLM exploitation
and even some post-quantum crypto. And those will take a
little bit longer to do, right, than the intro
challenges. But yeah, a little bit of everything for or
something for everybody. Yeah. So that's really great. And I
always love it how you really create sort of that video game
experience. It's not just your normal hack channels. They
sort of have that, you know, screen and the terminal kind
of environment where you have to... Part of that is there
too. But you really have to craft a user interface down
too. And I always love the stories that you come up with.
I think that makes it so much more entertaining, really. And
also interactions between players. Is that also still
part of it? Yes. Yeah. So believe it or not, not
everybody likes the game world. And this year we've
introduced CTF mode. So if you want to, you can start in the
game and then switch it to CTF mode and just get the
challenges. And that's fine. But I like you, Johannes. I
like the story and the graphics and the music. We
commission new music every year. What was the question?
Well, actually, let's just talk about how do I get there?
What's the URL that people need to know to get there?
Yep. SANS.org slash holiday hack. And when you get there,
there's a video from Ed Skoudis, our chief elf,
describing all the changes this year. The new hint
system, how to rotate your view in the 3D land and how to
set up cohorts, all that kind of thing. I love the title,
Chief Elf. Much better than SANS EDU President, kind of.
Much better title. I love that. Yeah. So I'll definitely
add the link to the show notes in case you didn't get that.
But it's a great opportunity for everybody. Great gift to
the community here. Any final words for our listeners? So
your question before was about interaction. And yes,
absolutely. The best way to interact is over Discord. So
if you get stuck on anything, join the Discord and you'll
probably get helped out by another player because it's a
very active community. So come, have fun, and be social
in a virtual kind of way. So I hope you'll check it out. And
it's certainly nothing just for information security
professionals. It's something for the whole family to really
have fun with. And with that, thanks for listening. Thanks
for liking and subscribing. And talk to you again on
Monday. Bye. Bye. Thank you.
