Hello and welcome to the Thursday, July 24, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu undergraduate certificate program in Applied
Cybersecurity. Well, today I still spend some time with the
SharePoint tool shell exploits that we have been collecting
and that others have been collecting to do a little bit
reverse analysis on them. So I figured that I'll summarize
some of the things that I learned here in a quick blog
post. Also did a video showing you a little bit how some of
this works. And well, it's actually not terribly
difficult for many of these exploits to figure out exactly
what the attacker does. To get started, first of all, of
course, there is the referrer. That's one of the key features
here that's being exploited by this vulnerability or by this
exploit. And then it's really just a lot of decoding Base64.
So there's Base64 and Base64. That's sort of what it all
ends up. Now, it starts out here with this compressed data
table feature, which, well, is Base64 and compressed and
moves on from there. Don't want to go over everything
here in the podcast because many of you may not really be
that interested. But here is sort of the final page that
was uploaded by some of the early exploits that stole the
machine key from the system. Other than that, no real sort
of big fundamental new use here. Lots of research, you
know, scanning for machines that may have this particular
backdoor installed on the system. This releases the
machine keys. And that's, again, the key lesson, I
think, here that can't be emphasized enough. That just
the patching is probably insufficient at this point.
That you must count on this particular exploit being used
against your machine as soon as last weekend. And that as a
result, your machine keys are lost. So you must rotate them.
Or it's relatively straightforward for an
attacker to recompromise your system. And then we have yet
another compromised NPM package to talk about. Kind of
keep thinking about not covering them as much anymore.
But this one I think is interesting in a couple of
aspects. First of all, it's a very popular package with a
few million downloads. The maintainer here at least paid
attention. And the compromise was mitigated within hours of
actually being made live. The root cause here appear to be
compromised maintainer credentials. The problem
appears to be that currently there are spam and phishing
emails going around for npmjs .com. That domain does not
apparently have proper DKIM, DMARC, and SPF records. Making
email spoofing relatively easy for this particular domain.
And several maintainers have fallen for this. Leading to a
little bit of a rush in compromised packages. The
other kind of odd and interesting thing about this
package is there is quite a bit of discussion about how
much of this is actually necessary. Whether it is
packed necessary, I'm not enough of an npm javascript
developer to really make that call. But as a developer, be a
little bit conservative in how many packages you install.
Having a little convenience package may be nice to have.
But definitely be careful with this. There's also a ton of
exploits, for example, for some of these visual code
plugins and such. That pretty much target some of the pretty
printers and such. Because it just makes things look a
little bit nicer. So before you install something like
this, first of all, make sure that you really need it. And
then secondly, make sure that these are packages that appear
to be well maintained. Of course, for the IS package,
well, it was well maintained in the sense that there were
many downloads. There were regular updates. And the
maintainer was able to spot the problem quickly, like
within five hours. Just the maintainer, I guess, didn't
pay close attention to their credentials. And after
announcing it earlier and testing it in some of the
insider editions, Microsoft now with Windows 11 24H2 has
released the new quick machine recovery feature that promises
to make life a little bit easier for individual users as
well. And I think that's actually sort of a little bit
the main audience here for IT administrators in larger
environments. The goal of quick machine recovery is to
automatically detect if a machine keeps rebooting, sort
of stuck in some kind of reboot loop. And then the
machine will automatically reboot into a safe recovery
environment. That recovery environment will then check
what errors happened, contact a cloud service that will
offer potential fixes for this issue, and then apply them and
reboot. Sounds interesting, of course, sort of with
CrowdStrike being just about a year behind us. This is a
feature that was inspired by this particular incident
because, of course, back then it required walking around and
updating lots and lots of systems sort of, you know,
with hands on keyboard. This is supposed to make these
things a bit easier. I see where also for a lot of home
users and less technical, this sort of will make life easier
in case, for example, some update or some third-party
software fails and causes problems like this. Well, and
that's it for today. So thanks again for listening. Thanks
for liking and subscribing to this podcast. The video I
mentioned earlier about how to reverse the SharePoint
exploit, I made it live in the same YouTube channel as the
podcast. If you're listening to the podcast or watching the
podcast via YouTube, I would like some feedback if you
think that's appropriate, if I should set up different
playlists or something like this. I may do this anyway,
but just any kind of feedback here, how that worked out,
please let me know. Because we overall plan to do a little
bit more video content and that will be made live via
YouTube. So still trying to work some of the details here,
how we best and most efficiently do this. So thanks
for listening and talk to you again tomorrow. Bye.
