Hello and welcome to the Monday, May 19th, 2025 edition
of the SANS Internt Storm Center's Stormcast. My name is
Johannes Ullrich and this episode brought to you by the
SANS EDU Graduate Certificate Program in Industrial Control
System Security is recorded today in Jacksonville,
Florida. Well, and as the last few weekends, Didier has a new
version of xorsearch for us. I guess that's how Didier is
spending his weekends, making XOR search better.
Fundamentally, XOR search is meant to extract strings from
files. That's sort of where the search part comes from. Of
course, we have now regular expressions and all kinds of
good things that were added these last few weeks. But what
we got now is to manipulate the output further. You may
now define a Python function as, for example, just simply
is printable. You're using a dash capital P for that. That
will then filter out all printable characters, making
output potentially more readable. And last week, the
zeroday initiative by Trend Micro did conduct another Pwn to Own
context. They're always attached to larger security
conferences and are promising substantial money for new
vulnerabilities and that are actually being demonstrated as
exploitable as part of the context. The big theme here,
in my opinion, was purge escalation and virtual machine
escape. There were a number of different vulnerabilities in,
for example, Red Hat, Windows 11 being demonstrated. Also on
the virtual machine escape front, VirtualBox and VMware
were exploited. Interesting context. They are reporting
all these vulnerabilities to respective manufacturers. And
I think I actually heard some browser vulnerabilities like
in Firefox were already addressed over the weekend.
But if they're not being actually patched within 90
days, then at least the existence of the vulnerability
is made public with a little bit more detail. Now, I'm a
little bit surprised that the FBI came out with a warning
stating that they're seeing an increase in attempts to
impersonate senior government officials via SMS and voice
messaging. Now, they're not really talking about some
sophisticated AI deepfakes here. These appear to be very
simple scams, at least technically how they're being
conducted. A little bit surprised that they work at
all. On the other hand, we are seeing more and more reports
about actual deepfakes being used, for example, to get
people hired for jobs. Apparently, North Korea is big
in that. But also to then, for example, issue engineering
drawings and such with faked credentials being used in
order to qualify these drawings as authentic. This is
something that, of course, could have real impact on the
integrity and such of construction projects.
Definitely something to consider with all of these
different scams. Whether it's the less sophisticated, simple
SMS sort of smishing, phishing, whatever you call
them type of calls. And the more sophisticated deepfake
calls. The real defense is usually some kind of business
logic. Basically, how do you qualify people? Whether or not
they're good enough for a particular job or good enough
to deliver some kind of architectural drawing or good
enough to receive some money or give you an account number.
Well, there have to be some business rules around this. I
don't think that's solely a technical problem. If you do
consider it just a technical problem, you'll probably fail
because these scams tend to move pretty quickly around any
kind of technical countermeasures. And
researchers from Push Security published an update on
Scattered Spider. This is a group that's mostly well
simply after money. They have sort of put themselves on the
map with some big attacks, for example, against MGM. One of
the techniques they apparently are using more and more is the
use of dynamic domain name systems. They're describing it
here sort of as rendable subdomains. And that's in some
ways what it is. Kind of a little bit of personal
interest. Before I was working for SANS, I operated myself a
little system that never really went anywhere. But what
surprised me a little bit is how well this still works sort
of from an attacker point of view. Actually, when I first
started with SANS, we used some of the infrastructure I
had for this dynamic domain name system for some of the
SANS domains. And well, actually ran to issues where
some government organizations back then blocked those
particular domains because they were using infrastructure
known for dynamic domain names. The big problem here is
that you have these domain names. They're mentioning here
IT.com as one that's popular with Scattered Spider. They
are well established. A lot of legitimate businesses and such
are using these subdomains. And as a result, of course,
blocking them and also just looking for anomalies here is
becoming a bit more complex. One of the things to look for
here is where you're looking at what is really a subdomain
versus a domain. And there is a list by Mozilla, this public
prefix list that basically lists all of these subdomains
like IT.com that really in some ways don't behave like a
domain. They really more behave like a top level domain
because then subdomains are assigned to different users.
And if you sort of look at domains by first subtracting
these public prefixes, well, that can help you get to
better results looking for anomalies in your DNS traffic.
Well, and this is it for today. So thanks for listening
and talk to you again tomorrow. Bye.
