Hello and welcome to the Thursday, October 16th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Undergraduate Certificate Program in Applied
Cybersecurity. Xavier today explains an infostealer
written in Python and how it deals with clipboard content.
One of the standard features of infostealers is stealing
data from the clipboard, often focusing on things like
passwords that may be copy-pasted or maybe crypto coin
addresses that are also often copy-pasted because who wants
to type in a long random string like this. Some
infostealers actually automatically recognize some
of these string patterns as they're being copy-pasted to
be more selective when it comes to actually exfiltrating
the data. But not everything on the clipboard is text. You
can also copy-paste images and that's what Xavier's malware
is focusing on here. In this example, the Python script
actually looks also for images that may be transferred via
the clipboard and then exfiltrates them via telegram.
Another very common command control channel for
infostealers like this. And then we got some bad news for
people using products made by F5. F5 today disclosed that
they were breached. They claim an unspecified nation state
actor for the breach and the breach apparently did last
quite some extended time, like at least months. As part of
the breach, source code was stolen from F5 and probably
most importantly also information about unpatched
vulnerabilities was stolen. And that of course is
something that affects users of their products. Remember
their products include products like for example
their Big IP series but also NGINX is being maintained by
F5. So if you're using any F5 products like this definitely
pay attention. And paying attention here also means that
F5 did today release a number of patches. And these patches
are believed to be related to the patches or the
vulnerabilities disclosed to the attacker during the
incident. So that's definitely something that you do want to
apply pretty quickly. They made that part of their
quarterly security notification. Now the reason
this is a part of the quarterly security
notification here is in part because these vulnerabilities
or actually the incident, F5 was aware of it for a while,
but apparently based on guidance from the Department
of Justice did somewhat delay the public release. On the
other hand, there wouldn't have been probably too much
that you could have done before having these patches
available anyway. This may have been a little bit their
calculus here. The vulnerabilities themselves are
not terribly severe. The most severe one here is this SAP
and SFTP vulnerability. It does allow for object code
execution, but you must already have an elevated
account in order to do this. So not just any account will
work for this. And it really just helps an attacker to
break out of the appliance mode in this particular case.
The other vulnerabilities are similar in scope. There are
some denial of service vulnerabilities, also some
other remote code execution vulnerabilities, but also that
require already some kind of elevated account. So there are
really more privileged escalation of vulnerabilities
at this point because those accounts are already able to
execute some commands. If you're in the right place. The
other ones are not going to see that. A couple of days ago
also, and this may have been a kind of foreshadowing at this
event, F5 did rotate their signing certificates and keys.
This could actually be the biggest problem here. If the
signing certificate key with a private key material here was
lost, it wouldn't able an attacker to of course now sign
software as F5. And if they were already in F5's
environment for a couple of months and had access to that
material for a couple of months, well, that could have
happened sometime in the past. So this is definitely
something to be aware of and make sure that you don't trust
those now revoked certificates anymore. But we all know key
revocation, certificate revocation can be a little bit
tricky kind of to enforce across a large infrastructure
like this. So definitely something that you may have to
manually intervene here. So this affects first of all F5
customers, but again, NGINX is part of the F5 ecosystem. And
in particular, the software being signed with F5
certificates. Well, that could also trip up some system
administrator that's not normally an F5 customer as
they, for example, download some related software. And
then a little bit patched you stay clean up. We did
yesterday get patches from Adobe. Twelve different
products were updated from Adobe. Not sure if that's
everything. I actually don't see Adobe Acrobat or a PDF
viewer here. So that product, which is one that I usually
watch, is not being patched this time. We do have updates
for the Adobe Commerce solution. Nothing super
critical as far as I can tell here. There's a approach
escalation, a security feature bypass vulnerability. The
arbitrary code execution vulnerability only got a CVSS
score of 4.8. So probably nothing to worry about too
much. And then we also have Adobe Experience Manager.
That's a product where I think I've seen some exploits
recently for. So that's why I mentioned this here. Mostly
cross-site scripting vulnerabilities. And that, of
course, always depends exactly where the particular cross
-site scripting vulnerability appears to see how it could
possibly be exploited. So apply your patches, but I
don't see anything sort of out of the ordinary here. And SAP
released its October patches. And with that fixed a number
of critical vulnerabilities, most notably two insecure
deserialization vulnerabilities in SAP Netweaver. There are a
couple different components affected by essentially of the
same type of vulnerability. Onapsis has a good write-up
about it. And I'll link to them as well as to the SAP
announcement about these updates. They now introduced a
special filter function to hopefully help with some of
these deserialization vulnerabilities. It's typical
for these type of products. We had similar issues also with
the corresponding Oracle products like WebLogic and
such, where they are exposed to a wide range of objects
that they typically can't easily filter. Because they
have to work with all kinds of different software written by
others. And that's probably why SAP is trying to introduce
this filter module. The WebLogic solution was more
sort of a block list, which of course they always sort of
amend and depend to as new gadgets are being found to
exploit these deserialization vulnerabilities. Well, that's
it for today. Thanks for listening. Thanks for liking
and thanks for subscribing to this podcast. You may have
also received some email about us changing Slack channels. A
little bit more about that tomorrow, but that's it for
now. So thanks and talk to you again tomorrow. Bye.
