SANS Stormcast Monday, September 8th, 2025: YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches;

September 07, 2025

Episode Transcript

From YARA Offsets to Virtual Addresses
Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers.
https://isc.sans.edu/diary/From%20YARA%20Offsets%20to%20Virtual%20Addresses/32262
Phishing via JavaScript in SVG Files
Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript in SVG files.
https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html
FreePBX Patches
FreePBX released details regarding two vulnerabilities patched last week. One of these vulnerabilities was already actively exploited.
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-3r47-p39v-vqqf

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, September 8, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from New York City, New York. And this episode is brought to you by the SANS.edu graduate certificate program in Purple Team Operations. Xavier this weekend wrote a great diary to show you how to use YARA to, well, make it easier to analyze malware. In YARA, of course, you can write signatures to find interesting pieces of code in files. And with that, you also get an offset for that piece of code where it shows up in the file. The problem you have now is that as you, for example, run that code in a debugger, if you try to identify this piece of code, well, you need to know the offset in the particular section of the PE file, typically the text section. And that's what Xavier is explaining here, how to get all the numbers you need to actually get the right offset in the right section. And, well, to top it off, Xavier also wrote a little Python script to actually do most of the work for you. MyRestotal has a blog post where they're discussing some of the new phishing attacks that they have seen employing SVG images. SVG images are, well, vector-based images. So one of the advantages of SVG is that as you increase the size of the image, it doesn't become pixelated, but instead sort of retains all the features at the higher resolution. The other advantage of SVG is that it's an XML-based format. So it's easily embedded into a web page. You don't need to load a separate file, which of course makes things more efficient. What's not so well known about SVG images is that, well, they can contain JavaScript. You may ask, why does everything need JavaScript? Well, in this case, SVG images need JavaScript to create interactive images. So you can change the image as the user interacts with particular image, clicks on it, or mouse over events and the like can be captured and then translated into altering the image. So that's essentially what's happening here with this particular phishing campaign, that the attacker is embedding JavaScript into SVG images in order mostly to evade detection. Now in this blog post, VirusTotal shows a little bit of its AI tools and shows how they're able then to detect that, well, this particular image does contain malicious JavaScript. To the user, the result is, well, like any other phishing page, it displays a lookalike web page that the user is then tricked into interacting with and delivering their personal information, username, passwords, or additional details. SVG images in general should probably not be blocked. They're very legitimate. Even SVG images with JavaScript, sadly, are used, even though not quite as common. But this certainly requires a little bit more capable endpoint detection or malware detection solution in order to figure out these malicious SVG images. In the last week or so, we did talk a couple times about FreePBX, the open source PBX software that had an already exploited vulnerability and where we had to deal sort of with partial patches initially and then official patches last week. We now got the official advisory from PBX with a little bit more details about the particular vulnerabilities. The critical vulnerability here that was addressed sort of with this emergency patch was indeed OAuth-related vulnerability, in particular how the secret keys to digitally signed JWT tokens were created. And yes, they were not created randomly if you had particular distributions or if you installed the two systems at about the same time, you ended up with identical keys. And now you may say, hey, the attacker, well, doesn't necessarily know what time I installed my system. Well, they can guess it in some ways and then they can also brute force the timestamp. They didn't have to be that particular accurate as long as they know that the timestamp is being used to create these keys. So, that apparently was at least part of the issue here was fixed. There was also a stored cross-site scripting vulnerability that was also addressed that patch that also should be patched. It's definitely an important at least vulnerability if not critical. But the sort of highlight vulnerability here is this OAuth issue and that's definitely a must patch now problem since it's already being exploited. So, that's it. Well, that's it for today. So, thanks again for listening. Thanks for liking and subscribing to this podcast. And as always, talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show