Hello and welcome to the Monday, July 14, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and today's episode is brought to you by
the SANS.edu Graduate Certificate Program in
Industrial Control System Security and it is recorded
here at SANS Fire in Washington, D.C. Well, this
weekend I worked on a new data feed, Suspicious Domains. This
is something we used to have in the past. Like years ago,
we had a suspicious domain feed and what we did in the
past was that we basically aggregated various other
public domain feeds in order to then rank them and also
look for domains that are sort of more significant by showing
up in multiple feeds. The problem with this approach was
that, well, these feeds kind of changed. Some of them got
discontinued, others changed their licensing that we could
no longer use them and redistribute them. So we now
take a little bit of a different approach. We already
had data of newly registered domains. We offer that as part
of our API data. The recent domains feature in our API
basically gives you recently registered domains. So what we
did now is took an approach that is not new, but where we
basically look for odd patterns in these domains. So
things like, for example, well -known brand names are often
impersonated. We're looking for international characters
that are a little bit odd, particularly if multiple
different scripts are being used in one domain name. Also
things like lots of numbers, high entropy, like these
random domain names. What we have right now is probably a
little bit more sensitive to phishing domains. The malware
domains are probably caught with a lot of these sort of
high entropy, these very random domain names. But those
are actually a little bit more difficult to find, actually
identify and prioritize, because it looks like there
are also some legitimate, not really sure what for, but
domain names being registered in large numbers that
basically include things like the current date or just the
random characters that are not necessarily identifiable as
malicious. But like I said, it's experimental right now.
I'm still experimenting with the different weights we
assign to these features and how we exactly calculate the
rank here or our score, as we call it. The score is added to
our reason domain feeds. I also added the reasons for the
scores, the basic keywords telling you what contributed
to that score, like if it was the entropy, if it was
international domain names or a combination thereof. So let
me know if it works for you. I did see a couple interesting
domain names that sort of bubbled up to sort of the top
20 there this weekend. But really, I think it needs a
little bit more observation and work to sort of fine tune
it. So let me know if it works for you or have any
suggestions what to improve on this particular data. And for
users of Wing FTP, well, there is a critical update available
for you and a vulnerability that's already being exploited
in the wild. June 30th, RCE Security did release details
about this particular flaw, including a proof of concept
exploit that pretty much had everything you needed to
exploit this vulnerability. Huntress Lab is now saying
that this vulnerability is actively being exploited. Now,
don't get confused by this being an FTP server, Wing FTP.
It actually has a web component that is being
exploited here. So it's not the good old FTP protocol that
is vulnerable here. The exploit of vulnerability is
kind of interesting. It's something that we have
definitely seen before, but not all that terribly common.
And that's how the null byte is being dealt with. It's
often being used like in C and such to terminate strings.
Well, it depends really on the language you're using and how
you're exactly using this particular string. But the
problem is here that you can add additional content, and in
particular Lua script code, to the end of your username. You
just have to delineate it with a null byte. That way
authentication still works because it only looks at the
content of the username up to this null byte. But then the
entire username you provided is copied into the session
file, including that code, which can then lead to remote
code execution. So interesting vulnerability and definitely
something for web developers and such, of course, also to
read up on that you're not making the same mistake. And I
guess today is kind of exploit Monday because we have a lot
of exploits to vulnerabilities that we recently talked about
for the web. That's a vulnerability I think I
mentioned on Friday, if I remember correctly. Well, it's
being exploited now. There is a blog available that gives
you all the details about this vulnerability. It's at its
core a SQL injection vulnerability. SQL injection
vulnerabilities, of course, can easily lead to remote code
execution. If you can write a file, that's exactly what's
happening here. You can use SQL injection to write a file
on the system and then execute the content of that file. And
NVIDIA released the advisory that some of its GPUs are
susceptible to the Rohhammer attack. Rohhammer affects DDR
memory. And of course, DDR is being used in modern graphic
cards. And the problem here is that repeated reading and
writing to certain areas of the memory can actually affect
even flip bits in other parts of the memory that a user may
otherwise not have access to. This is an older
vulnerability, originally, I believe, discovered by Google.
And pretty much it's sort of inherent, intrinsic to DDR
memory. So no big surprise that GPUs and the graphic
cards, basically with DDR memory, are susceptible to
this vulnerability. Well, and this is it for today. Thanks
for listening. Thanks for recommending this podcast.
Thanks for leaving good reviews in your favorite
podcast platform. And please like and subscribe. And that's
it for today. Thanks for listening and talk to you
again tomorrow. Bye.
