SANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues

July 16, 2025

SANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues

Episode Transcript

More Free File Sharing Services Abuse
The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused
https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices are compromised because credentials were leaked during prior attacks. The attacker installs the OVERSTEP backdoor after compromising the device.
https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor
Weaponizing Trust in File Rendering Pipelines
RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust mechanisms and background processing in file systems, email clients, antivirus tools, and graphical user interfaces to deliver payloads without requiring any user interaction.
https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, July 17th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Washington, D.C. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Engineering. Xavier today wrote up a series of attacks that took advantage of a file sharing box called Catbox. Catbox.moe is the domain being used by this file sharing service and Xaviy was able to capture about 600 or so different URLs being abused at this particular file sharing service. Just like any free file sharing service, it can easily be used to distribute malware. Now on their web page, they're stating that they do not allow the hosting of .exe and similar files, but it looks like they're really only checking the extension and something like .dll or such is easily used to evade some of the filters being set up by Catbox. You may want to consider blocking access to this service. It doesn't look, based on the website, that it is all that terribly useful for business purposes. Also, of course, any use of some of these newer generic top-level domains like .moe in this case is often a good indicator that something suspicious may be happening. And Google's Threat Intelligence Group has published details regarding a compromise of a fully patched SonicWall SMA 100 devices. These devices are end-of-life, but the particular devices compromised here were fully patched. Now, this is not a zero day, apparently, that's being used here. Instead, what Google believes is happening is that these particular devices were vulnerable in the past to some of these vulnerabilities that allowed attackers to retrieve credentials, including the seats for multi-factor authentication. So now they're just coming back after devices were being patched and they're compromising them using the credentials that the attacker did collect in earlier attacks. Good reminder that whenever you find a vulnerable device that may have been attacked to certainly rotate credentials, including any seats for multi-factor authentication. And security companies, Cyfirma published a blog post outlining attackers not really fundamentally new. I have seen it over the years evolve in various forms. They're calling it a render shock. And what it really is all about is that on modern systems, you do have multiple tools that will render various file formats in the background. And with that, potentially expose you to vulnerabilities. These are often indexing programs, preview programs, most famously things like file managers that will render sort of previews of files, but also software that will index files in the background. For example, searching. Now, what can happen here is that all of these different renderers that are being used and that these files are exposed to may have various vulnerabilities. And there are multiple examples where these vulnerabilities have been triggered in the past by malware being sent to the system. So possible attack scenario is where a user does receive an email attachment, but is not actually opening the attachment, maybe saving it to a directory or even just keeping it in their email reader. And unbeknown to the user, this file is now being parsed and analyzed by all these different renders, which of course then may execute code or in more simple cases, just may reach out to various URLs. Like, for example, SMB URLs. We had a number of issues around that in the past, which then of course could lead to the leak of credentials. This thread overall, like I said, it's not theoretical, even though this particular blog post does not expose any fundamentally new vulnerability. It has been exposed in the past. It's a real good sort of overview of various things that you may be able to do to protect yourself here and really just to foster some awareness of the threat of having all of these renders on your system. Well, and this is it for today. Thanks for listening and thanks for everybody who came to my talk today. It may be online available in the near future. I haven't checked yet if the recording of it worked out on the net. Thanks for liking this podcast. Thanks for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich