Hello and welcome to the Thursday, May 29th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode, brought to you by
the SANS.edu graduate certificate program in cloud
security is recorded as usual in Jacksonville, Florida.
Well, in diaries today we got another one from one of our
undergraduate students. Jennifer Wilson did a little
experiment demonstrating how you can use large language
models like Chat GPT in order to assist you in better
understanding various artifacts that you may recover
from a honeypot. Now in this particular case, well, it was
a little bit oddly named a file that sort of triggered
the investigation here. It had this sort of hex name, but
there was a lowercase s at the end as well, which made it
kind of, well, appear that it's not just sort of a simple
random hex encoded string. And after going forth and back
here a little bit with chat GPT, Jennifer was able to
figure out that this particular file name is
associated with a Telegram desktop. And well, where you
basically sort of have various encryption keys and such
stored. So certainly an interesting finding. Something
that wasn't quite as easy and straightforward to find with a
simple search. The help from the chat GPT assistant here
certainly helped, but also demonstrates how a lot of this
is about asking the right questions, not accepting the
first answer you're getting necessarily as true. And sort
of that dialogue really, where you have a skilled analyst use
chat GPT in order to figure out what this particular
string here was really all about. And Sophos published a
blog post about attacks that they have observed from
ransomware that took advantage of unpatched instances of
simple help. Simple help is a tool that's often being used
by managed service providers. So what the attacker does
here, and that's sort of, I think, the real dangerous
pattern that we have seen a couple times before, that
they're not attacking the victim company directly, but
they're attacking the managed service provider. The company
that actually manages the victim's network. And of
course, they are the ransomware provider is now
becoming the manager of the network and has full access
and is then able to launch the ransomware. This is a very
difficult thing for the victims here because they
rely, of course, on a managed service provider. And the
reason they usually hire a managed service provider is
that they don't have the internal resources like
smaller companies to adequately manage the network.
So there isn't also a resource to really verify that the
managed service provider is doing the right thing. Maybe
we need sort of a managed service provider, management
provider, or something like this to keep an eye on them.
But it should really be up to the MSP in order to make sure
the tools they're using, like simple help, are properly
patched. The vulnerabilities being exploited here, Sophos
lists a few of them, have been patched since January. So
they're not super fresh, but still fresh enough for a
complex system like Simple Help. Well, the patches may
not have been applied yet. Well, and then we have another
vulnerability disclosure from OneKey. This time it's in
Evertz Equipment. I guess that's how you pronounce that
company name. It's an unauthenticated remote code
execution vulnerability, very easy to exploit. If you're not
familiar with Evertz, their equipment is predominantly
used in the broadcasting world. They basically make
equipment that allows you to send video signals and the
like from professional cameras over networks. And these kind
of network switches, gateways, that's what's affected here by
this vulnerability. OneKey put together is a little sort of
card summarizing what's exactly vulnerable here. And
yes, they're assigning it a CSS score of 9.3. The only
sort of limitations here is that, yes, you are running
code as the web server and the web server isn't running root.
But, well, that's really the only sort of thing that
doesn't make that complete 10. Sadly, Evertz has not responded
to OneKey's disclosure. They said they reached out to them
90 days ago, but haven't heard back from them. So, this is as
of now an unpatched vulnerability. Well, what's
the vulnerability all about? It's yet again one of these.
Well, let's just take a user input and pass it to execution
command here, exec. So, very straightforward, simple OS
command injection vulnerability. Very easy to
exploit. They also do provide a little sample exploit string
here. But once you see that line, it shouldn't really be
too hard to figure out, well, how an exploit is working. So,
given that there is no patch available, if you run into any
equipment like this, well, please make sure that it's not
exposed to the internet. And maybe reach out to Evertz if
they have any help for you. Well, and that's it for today.
Thanks for listening. Thanks for leaving good reviews on
your favorite podcast platform. And, of course,
recommending this podcast to your friends. And talk to you
again tomorrow. Bye.
