Hello and welcome to the Monday, September 29th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Industrial Control System Security. A quick script from
Jim this weekend for anybody doing forensics, incident
response, something to convert the Unix timestamps in
.bash_history files to a more human-readable ISO format. Adding
timestamps to .bash_history is obviously useful in incident
response. If it's not done by your system, all you have to
do is add a hist time format variable to your .bashrc or a
similar file. And with that, you basically define the
format. It's often defined as a Unix timestamp. Part of this
is to make it easy to sort. The file is being written
whenever a shell exits. So if you have multiple shells
running around the same time, well, these particular
commands may not necessarily be in time order as they're
being saved to the file. And of course, the usual caveats
about this file being potentially manipulated or
disabled by an attacker applies. And then we still
have to talk about the Cisco vulnerability that I mentioned
last week. The vulnerability that had already been
exploited. So again, this affects the ASA and firepower
devices. Note that exploitation of the devices
likely started about a year ago. So I've seen numbers in
news articles and sort of mentioned 2 million affected
devices. Now note that these are potentially vulnerable
devices, not exploited device. I think that distinction
sometimes got lost in some of the articles that I've seen.
At this point, there's only a very small number of actual
exploited devices as far as I've seen. And the exploit
itself is not public yet. And from everything I heard is not
trivial. So still, you do want a patch, of course. And now
there's the raison to find an exploit and make it public for
a wannabe like that. But overall, the chances that you
were exploited before the actual patch was released
aren't that super high. Unless you're sort of knowing
something that you would consider yourself as targeted.
In particular, by Chinese state-sponsored actor. Now we
have a number of write-ups around this. I want to point
out CISA's one. CISA also offers its malware next-gen
portal to detect infected systems. The way this works is
that you create a core dump on your particular Cisco device.
And then upload it to CISA for automatic analysis. Now CISA's
advice, as always, is focusing on the U.S. federal
government. But typically, of course, their advice is well
-sourced and well-thought-out. So definitely something that
you should consider. As far as uploading malware to the
malware next-gen portal goes, you must be registered with
the portal. That means login.gov. So this is restricted at
this point to U.S. citizens. But you do not have to be
affiliated with the U.S. federal government. You just
have to basically figure out if that's something that you
want to do or not. Not all ASA devices have patches
available. There are some affected ASA devices that are
end-of-life. And the only option for those is, of
course, to replace them with newer models. It is critical
you get patching now before we have any more widespread
exploitation of this. According to Cisco, affected
devices have been found with modified ROM monitor, or short
often called ROMMON. This is firmware that is basically
sort of the run during boot. And by modifying the ROMMON,
the malware is able to persist reboots and also some software
updates. However, the specific update released by Cisco in
this case will specifically scan ROMMON and apply a fix
if it finds it to be modified. A firmware-update.log file is
left in that case on disk zero. So if it found something
odd with ROMMON, and Cisco recommends that if that's the
case, if you see the firmware-update.log file, you must
assume the device is compromised. You must change
passports, keys, certificates. Remember, we had that issue
many times before. For devices like this were compromised.
And then even two-factor authentication seats and such
were stolen. Not sure the two-factor authentication seat is
an issue here with these particular Cisco devices. And
Cisco also requests that any user who runs into an infected
device does open a ticket with customer support for further
help and also advice and analysis of what exactly
happened there. Your device is considered vulnerable if it
has the VPN web services enabled. So if you don't have
the VPN web service enabled, then you shouldn't be
vulnerable. Of course, you may have had it enabled in the
past or such. That can sometimes be a little bit
difficult to figure out and distinguish. I'll add links to
the Cisco advisory as well as to CISAs in the show notes. So
if you want to read up on some details that either are
published, take a look at that. And like I said, this is
something that this week you really have to get a handle on
whether or not you're vulnerable. Apply the patches
and then make sure that you haven't already been
exploited. The target group is not necessarily just the
government networks. In the past, we have seen some
private entities like either suppliers or even law firms in
some cases being hit by malware like this. And talk
about some more targeted attacks. The next attack is
also a bit targeted. And this is the use of GitHub
notifications that are being abused. Based on GitHub, if a
user is mentioned in an issue, GitHub notifies the user of
the issue via email. Sadly, these notifications are
customizable enough to make it difficult to distinguish these
fraud notifications from other email. Bleeping Computer is
reporting that the latest wave of these attacks was used to
impersonate the startup accelerator YCombinator. And
the target here apparently were crypto coin related
companies. And the lure consists of an email notifying
the victim of being accepted for funding from YCombinator.
I think they offered something like $15 million. That, of
course, entices most startup founders and such to click on
those emails. And in this case, the email was then led
to a YCombinator lookalike website that then made them
install some malware that trained their cryptocurrency
accounts. This is something that's always a little bit
hard to sort of put into awareness presentation such
that you have a little bit of more targeted attack like
this. Where they're using systems like GitHub that many
of these founders and people associated with startups are
more or less trusting. And then, of course, YCombinator
being something that many of them have probably applied for
funding for. Well, and that's it for today. So thanks for
listening and thanks for recommending, for liking this
podcast. Also, thanks for anybody who is leaving a good
comment. That's it for today and talk to you again
tomorrow. Bye.
