Hello and welcome to the Monday, June 2nd, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and this episode brought to you by the
SANS.edu Graduate Certificate Program in Penetration Testing
and Ethical Hacking is recorded in Jacksonville,
Florida. Well, and in diaries, we do have yet more fun with
images from Xavier. Xavier came across a PNG image that
included malware. Now, this one didn't use sort of the
steganography we have talked about a lot in the last couple
of weeks. Instead, it used sort of a simpler form where
the malicious code is just being appended to the image.
With PNG images, there is an end marker. Any data after the
end marker is ignored, meaning that if you display the image
in a normal image viewer, well, all will look fine
because the script in the end is just ignored. But as Xavier
points out, the script or that data in the end is really just
a little zip archive that then unpacks into a Python script.
Now, one trick they're sort of doing here is that they are
replacing the desktop wallpaper with their own sort
of little wallpaper. Now, Xavier considers this a little
bit more proof of concept than actual malware. In part
because, well, it's just a very simple, straightforward,
basic remote admin tool. Also, this particular wallpaper
sounds more like something that's sort of being done to
indicate, hey, this is sort of something that could be
exploited rather than the exploit itself. Regardless,
virus total detection for this image is very low, indicating
that, well, there aren't really a lot of antivirus
products that are, for example, looking for code
being appended to an image like this, which should really
always be considered malicious. In this case, you
may say, okay, you know, this is a little custom tool.
That's probably not going to be a specific signature for
it. But it's exactly the point, the problem with a
signature-based detection, which even with today's AI
-enabled tools, we still often rely on signatures. Even with
AI, you just don't really know what the signatures are
because they're often then created by various machine
learning algorithms. Well, and Horizon 3 did release a blog
post outlining how to exploit a recently patched Cisco iOS
vulnerability. This particular vulnerability did affect
Cisco's wireless controller software, and it was related
to a hard-coded JSON web token that then was able to upload
arbitrary files. That's exactly what Siad Badawi here
from Horizon 3 is walking us through. First of all, that
particular hard-coded JWT that then allows the file upload,
but not only the simple file upload, but also how to do the
directory traversal to then upload arbitrary files in
arbitrary locations, which then leads to remote code
execution. Pretty straightforward exploit, so
something that definitely you must patch now, given that all
the details are now available to the bad guys. At this
point, I haven't seen any exploit attempts in our own
Honeypot data yet, but remember, our Honeypots don't
necessarily emulate these particular devices, so there
may be better attackers out there that are just targeting
these particular devices. And bulletin boards are certainly
no longer quite as popular as they used to be in the old
days. Well, a little bit replaced by social media and
Discord and channels like that, but, well, they're still
out there, and one of the popular bulletin boards still
remains vButtetin. vButtetin patched a
vulnerability about a year ago without really announcing the
patch as a patch for this vulnerability. We now have a
blog post by Carmain Security showing the nature of the
vulnerability and how to exploit it. This particular
blog post was released May 23rd. The reason I bring this
up now is, well, we are actually seeing exploitation
of this particular vulnerability starting about
May 25th. So there's certainly some internet-wide scans going
for it. The vulnerability is not that terribly difficult to
exploit, and the blog post does include a little sample
as to how to exploit particular vulnerability.
Essentially, you're replacing this ad template with PHP code
that is then being executed. Relatively straightforward
again, and that's why we are seeing these internet-wide
scans for exploitation of this particular vulnerability.
Well, and this is it for today. So thanks for
listening. Remember, sands fire coming up. So if you're
interested, please sign up in D.C. in July. We'll have a
bunch of extra content going on for Inlet Storm Center, in
particular our honeypot workshop, where we will also
give away a limited number of our honeypots. So hope to see
some of you there. Thanks for listening, and talk to you
again tomorrow. Bye.
