SANS Stormcast Monday, June 16th, 2025: Extracting Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC

June 16, 2025

SANS Stormcast Monday, June 16th, 2025: Extracting Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC

Episode Transcript

Extracting Data From JPEGs
Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py
https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048
Windows Recall Export in Europe
In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled.
https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11-insider-preview-build-26120-4441-beta-channel/
Anubis Ransomware Now Wipes Data
The Anubis ransomware, usually known for standard double extortion, is now also wiping data preventing any recovery even if you pay the ransom.
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
Mitel Vulnerabilities CVE-2025-47188
Mitel this week patched a critical path traversal vulnerability (sadly, no CVE), and Infoguard Labs published a PoC exploit for an older file upload vulnerability.
https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/ https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, June 17th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu credit certificate program in incident response is recorded in Jacksonville, Florida. Well, today we have a diary by Didier following up on yesterday's diary by Xavier. Of course, Xavier talked about extracting data from JPEGs. Well, Didier, of course, has a better tool for it, jpegdump, that makes it pretty straightforward to extract data blocks like the one that Xavier found with the encoded DLL yesterday. And it even then allows you to push the data to various other tools like head tail, for example, or to the byte stats tool, which gives you more detail about the composition of particular parts of the file and also how to better than extract the related malware. A while ago, after Microsoft announced its new recall feature in Windows 11, there was a lot of feedback from privacy advocates. Windows recall, again, takes snapshots, screenshots and such of your system periodically. And then using Microsoft's AI tools allows you to then retroactively search these screenshots for any items of interest. This, of course, meant to be sort of a usability feature for Windows. But, of course, all that data must be stored. It's stored on your local device. And based on some of the feedback that Microsoft initially received, the data is encrypted. However, given that data is encrypted, the user themselves doesn't really have a good option to review what data was actually stored. That, again, caused some issues with privacy regulations, in particular in Europe. And Microsoft now implemented a new feature in the latest preview edition of Windows 11 to allow specifically users in Europe to export this data. In order to facilitate the decryption of the export, Microsoft will display, as you enable this feature, an encryption key. Well, this is the only time you'll ever see that encryption key. So, if you're interested in preserving it, you better write it down at that point. And later, you can then export any data that recall created and decrypt it using this key. Interesting that this is just limited to the European economic area at this point. Maybe that will become available later in other regions. I'm not really sure what would prevent them from doing that. But at this point, again, it's only in the preview release. There are also some admin features around this to enterprise-wide regulate the use of recall and this recall restore feature. And Trend Micro warns of a recent evolution in the Anubis ransomware. Anubis is ransomware as a service. So, you have various groups using this ransomware in order to launch their attacks. It usually starts with a phishing email. The part that changed is that Anubis now implemented a wiper mode. So, what this means is that your data isn't actually just encrypted. It's deleted. And payment of a ransom is unlikely going to help you in recovering the data. So, be aware if you're getting hit with this ransomware. It may not be worthwhile actually paying for it. At the very least, ask for a real good sort of sign of life for your data. Well, then we have a couple of Mitel vulnerabilities that deserve some attention. First of all, the MyCollapse suite suffers from a path traversal vulnerability that has been patched a couple days ago. Definitely pay attention to this. I haven't seen an exploit yet, but it looks like something that's relatively straightforward to exploit once someone does some patch diffing or basically just releases the exploit they used to notify Mitel. So, definitely keep that up to date. The second Mitel issue is actually a proof of concept that was published for an older vulnerability. That's an unauthenticated remote code execution vulnerability. It's related to the ringtone upload feature in Mitel phones. Essentially sort of leads to an unrestricted file upload, which then relates to remote code execution. So, if you're using Mitel phones, Mitel software, double check, make sure everything is up to date. Well, and that's it for today. Remember, there will be no podcast for the next two days. I'll be traveling Tuesday, so I can't record for Wednesday. And then we also have the June 19th holiday coming up. But there should be another podcast on Friday. Thanks for listening and talk to you again on Friday. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Thank you.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich