Hello and welcome to the Tuesday, July 15th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode brought to you by
the sans.edu certificate program in cybersecurity
leadership is recorded in Washington, D.C. Well, if you
are running one of our honeypots and sending us logs,
which I hope many of you are doing, you may have noticed a
delay in imports of these logs over the weekend. This was in
part caused by, well, an unintentional self-inflicted
denial of service. We were playing with a new version of
the honeypot and, well, myself and Jesse were running it and
causing a lot of additional logs. But this also triggered
Jesse to look a little bit at the log volume of his
honeypots. He's running about half a dozen of them across
time. And we have seen in the past where honeypots sort of
on a particular day or so all of a sudden get a big surge in
logs. This is often caused by one particular IP address,
essentially running a vulnerability scan against a
particular honeypot. Well, what Jesse saw was something a
little bit different. Over the last couple of weeks, the log
volume across all of his honeypots has increased
substantially sort of by an order of magnitude. Actually,
when he plotted it sort of as number of logs or events over
time, the prior part of the graph pretty much looked like
zero, like nothing was there. What is also interesting here
is that this attack appears to be caused by IP addresses that
only scan a very small number of URLs. And these URLs are
related to the sonic wall vulnerability. Looks like
there is some kind of botnet that infected these sonic wall
systems and is now very aggressively scanning for
additional vulnerable systems. I hope they sort of got what
there is as far as vulnerable systems exists out there. But
definitely double check your sonic walls. Make sure you're
patched. Other than that, I don't think that this
particular botnet at this point is causing much
additional damage. As they probably have reached sort of
saturation way long ago, like a few weeks ago or so. I would
expect within a day or so that this botnet probably reached
saturation. And yeah, definitely need to look at it
globally. Haven't had a chance the last couple of weeks to do
much as far as data analysis goes. But have to see if this
is an effect that all of our sensors see or just a specific
subset of our sensor. And Idan Daridman with Koi Security did
publish a blog post describing a campaign of compromised
browser extensions that they are calling Red Direction.
What's interesting about this is not only that like the more
popular extension was part of this campaign, a color picker,
color changer extension was installed by 2.3 million
users. But also that this extension has been around for
quite a while. Now, it wasn't malicious for the entire time
it existed. It started out as a well-respected, non
-malicious extension, but the malicious part was only
installed later. However, with users, of course,
automatically updating extensions, they then also
received the malicious version as it was published. This
extension will essentially monitor your browsing habits,
do reports back things like URLs and such that you may
visit. And, well, also has the ability to redirect you to
other sites and basically control your browser. The
problem with extensions in general is that, yes, they do
have access to the entire content, the entire DOM in
your browser. In this particular case, it probably
also wasn't suspicious if the extension asked for that
permission, as you wanted it to interact with the webpage
to change, select colors and the like. There was also like
an emoji keyboard, I believe, that was vulnerable and a
couple of other really benign extensions that worked
perfectly fine, but then received this malicious
update. As far as defenses against this, well, of course,
if you are affected by any of these extensions, immediately
uninstall it. Be aware of the possible damage that has
happened by data being exfiltrated. But you really
must control the number of extensions that you install,
in particular if they do have wide access to your browser,
which most of them have. And think about whether it's
worthwhile having an extension that may change styles, fonts
a little bit, and whether it's worth the risk of potentially
affecting yourself with the latest spyware and malware.
And then we have a great blog post by science instructor
Matthias Fuchs, who is going over how to reconstruct RDP
activity. RDP is one of the big ways how attackers these
days are entering corporate networks. Sadly, it's still
often exposed. Matthias is in detail going over different
Windows event IDs that you may be seeing, and also down to
how using the RDP cache, which contains little 4x64 pixel
snippets of the screenshots during the RDP activity, how
to reassemble them to basically get a better idea
about what happened during a particular event like this. So
great resource for any incident responders or
forensic haters. Well, and this is it for today. So
thanks for listening and talk to you again tomorrow. Bye.
