Hello and welcome to the Monday, December 15th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Undergraduate Certificate Program in Applied
Cybersecurity. Well, this Monday we have a number of
diaries to talk about. The first one comes from Xavier
and as typical for Xavier, is of interest to anybody reverse
analyzing malware. Xavier is taking a closer look at DLLs.
Now DLLs, libraries of course in Windows, are loaded by
software in order to provide additional functionality. As
any kind of library of course, there are certain features
that are being exposed by the library. But one thing that's
often overlooked here is the entry point. And what's
happening here is that a developer can define an entry
point that's being executed as the library is being loaded.
There are a couple different options how it can be executed
and Xavier is explaining this. The reason it's important for
malware analysis is that you may see a library being
loaded, a DLL being loaded, but then actually no function
in that DLL is being ever executed. Well, then you have
to take a look at the entry point to see if it contains
any code of interest because that was executed just as the
DLL was loaded without any specific function actually
being called. And the next diary comes from Brad. Brad
wrote about, well, two particular examples of a
recent click fix campaign. Click fix again is where you
have the CAPTCHA that tricks you into copy pasting
PowerShell commands into a command prompt. And the part
that Brad looked at it is something that we have talked
about recently and that's the use of the finger command in
these scripts. So in order to obfuscate what's actually
happening here, the attacker is tricking the victim into
posting a command that uses the finger command. And the
finger command is, well, basically just a very simple
TCP server that you just open a connection to and then
retrieve ASCII data. That's really all it does. In this
case, data coming back is a PowerShell script. That's of
course, then just piped to CMD on your Windows host. So a
very simple technique and provides for some additional
obfuscation. Of course, the traffic here goes over port
79, which I don't think is used for anything but this no
longer really used finger command. So definitely a port
that you should investigate blocking outbound from your
network, just like 445 and other ports like this that you
probably shouldn't allow outbound and well, maybe even
better come up with a list of ports that should be allowed
outbound. And then on Friday, we also got a little surprise
from Apple and that's updates to all of Apple's operating
system fixing a number of different vulnerabilities. I
counted 48 vulnerabilities being addressed here. Now,
most interesting were two vulnerabilities in WebKit that
likely can lead to code execution and have already
been exploited in the wild before the patch was released
as usual in targeted attacks. So definitely something that
you probably want to apply over the next week. And
hopefully not too many people sort of just missed it because
of the Friday release. Of course, patching stuff on
Friday is always a little bit discouraged and there wasn't
anything here that should have sort of really prioritized the
patch beyond your regular patch cycle. These already
exploited vulnerabilities, like I said, are only
exploited in limited attacks. And there is no public exploit
as far as I'm aware of. Now, there was also an interesting
one that was being addressed in the compressor utility.
That's not part of the operating system. That was
sort of a separate update that Apple released. I believe it's
part of Apple's video editing suite, at least that's sort of
how I originally downloaded it. The tricky part here is
that the compressor actually listens for network traffic
and in receiving traffic, you can execute arbitrary code
here. Now, the advisory states that the network traffic is
only working if it's on the same local network. And of
course, you have the utility up and running. It's not a
utility that you sort of constantly keep running in the
background. So it's not like other service in that sense.
But you don't miss this particular update. Other than
that, nothing really too terribly exciting. Well, and
React Server Components keep on giving. This time, it's two
denial of service vulnerability and a third
vulnerability that, in my opinion, is actually more
interesting, even though it has a lower CVSS score. And
that third vulnerability may potentially leak source code.
The third vulnerability only applies to certain
circumstances where you are stringifying user submitted
data. And essentially what's happening then is that the
function code itself gets stringified and possibly
returned as part of the response to the request.
Again, this affects React Server Components, just like
the React to shell vulnerability. So if your
application was vulnerable to React to shell, it's probably
vulnerable to these new issues as well. Well, that's it for
today. Just a quick note. This coming week, I'll be teaching
while I'll be staying here at home. I'll be teaching on a
European schedule. So podcast publishing may be affected by
this and the podcast may be released a little bit earlier
than normal. That's it for today. Thanks for listening.
Thanks for liking. Thanks for subscribing and talk to you
again tomorrow. Bye.
