Hello and welcome to the Monday, August 11th, 2025
edition of the SANS Internet Storm Center's Stormcast.
My name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Purple
Team Operations. This weekend's diary was about an,
at least new to me, scam targeting, well, Tesla users
or Tesla enthusiasts trying to pre-order some Tesla products,
in particular the Tesla Optimus robot. If you're
searching for Tesla Optimus pre-orders on Google, you're
being confronted with a number of, well, links that are
sponsored, so they're paid for, but they're not paid for
by Tesla. If you're clicking on any of these links, you are
ending up on a lookalike site that looks like a little bit
older design of the Tesla website, but the latest domain
name being used here and that has been changing over the
last few days is offers-tesla .com. And now you're able here
to pre-order some yet unreleased products, for
example, the Optimus robot, which of course has been sort
of heavily featured in the news, and it will happily
allow you to pay for this robot using your credit card.
I went through the checkout process here and using just a
fake credit card number, and it let me go through so it
didn't attempt to charge the number because that would have
failed. It may use those numbers later to maybe, you
know, resell them, use them on other websites. That's not
really clear what the real endgame here is of this
particular scam, but likely thereafter stealing the credit
card data. There's also no login on the page, unlike the
real Tesla page. So when you come back later, well, you're
unlikely to be able to check the status of your order, so
it may take a while for the user to realize that they have
been scammed. Now, during the checkout process, it does
offer you to register. I wasn't able at the time to
complete it because spam filters, as I found out later,
ate the sort of confirmation email that is being sent back.
But either way, even if you register on this particular
site, well, like I said, there is no real spot here to log
in. Similarly, if you're trying to pre-order any of the
other products, like any of the Tesla cars, you will be
allowed to go through the process. But, well, it
definitely doesn't go to Tesla. It just basically takes
a credit card number and not sure, again, you know what
they'll do with the number, but the money is very unlikely
going to go to Tesla. These sites have been rotating. They
stay up for a couple of days. So I assume that at one point
Tesla, someone else, is actually then shutting them
down. But they keep setting up new sites. The naming scheme
is always some prefix like offers, pre-order, or the like
dash, tesla.com. And then we got a couple of quick items
from DEFCON, which of course happened this weekend. First
one here, researchers from Eclypsium demonstrated what
they call a BadCam attack. Now, what this really is all
about is that if you do have any kind of USB device, an
attacker is able to update the firmware on that USB device.
The attacker would have to first trick the victim into
executing code, but then it gains a nice persistent access
to the system just by basically updating the
firmware of the USB device. They demonstrate that using
webcams, running Linux. I can imagine that this will work
with any other USB device that has easily updatable firmware.
So first you compromise the system. Then you discover what
kind of peripherals are connected. You update the
firmware of one of these peripherals. And then you can
basically turn this particular peripheral, like the webcam in
this case, into a USB keyboard and inject keystrokes
executing additional malicious code. And again, this is
probably more sort of a persistent technique where
once you compromise the system, you put some kind of
code into that webcam that will continuously reinstall,
for example, a backdoor after it was removed. With these USB
devices being out of scope for any kind of endpoint
protection, that makes it a real neat way to sort of hide
malicious code. And then another interesting DEF CON
talk was from Shahak Morag. I hope I pronounced the name
correctly, but it was about an interesting denial of service
attack that in particular affects domain controllers
that are exposed to the internet, which I don't think
is something you really should do. And I think that's another
reason why you shouldn't do this. The problem here is RPC
and how this can easily be abused for denial of service.
RPC is required for a domain controller. And the basic
underlying trick here is that the attacker is turning your
domain controller via RPC into an LDAP client and then is
sending it a flood of LDAP referral URLs that are all
pointing the same IP address. And if you're using this, your
domain controller will now flood this other system with
these LDAP queries. And that leads to a denial of service
attack. Of course, some rate limiting on the receiving end
may help here. This is really sort of more CPU memory
exhaustion attack. So it's not just plain flooding it with
packets, not just volumetric the attack, but still don't
expose your domain controllers. I think that's
the number one lesson to take away from this here. Well, and
that's it for today. Thanks for listening. Thanks for
liking and recommending this podcast and for leaving good
podcast reviews. If I missed anything, if I missed a story,
if I missed something from DEF CON, Black Hat or such, let me
know. And by the way, I never mind if like an author or a
researcher is telling me about something they just published.
I don't like marketing people doing it, but researchers, if
that was your work, you want to get to the world. Well,
that's what research is all about to disseminate your
results. So let me know. And that's it for today. Thanks
and talk to you again tomorrow. Bye.
