Hello and welcome to the Thursday, April 10th, 2025
edition of the SANS Internet Storm Center's
Stormcast. My name is Johannes Ullrich and today I'm recording
from Jacksonville, Florida. Xavier today wrote about
obfuscated Python. In this particular case, the exploit
first arrived as a simple script that I used PowerShell
to download additional Python. Now, what was different about
this particular Python script here is that it used PyArmor
in order to obfuscate the code. And while Xavier isn't
here going through it sort of line by line based on the
obfuscation, he at least does show some techniques to get
some partial content from the script by doing some
behavioral analysis. The problem here again is that the
script also doesn't really run in sandboxes very well. So
certainly making analysis of these scripts more difficult.
PyArmor itself is not necessarily malicious. It's
often used for commercial Python scripts in order to
obfuscate the inner workings for intellectual property
protection and the like. But if anybody has any tips here
for Xavier how to better deal with PyArmor obfuscated
scripts, well, please let him know. And we have an
interesting vulnerability in CenterStack. CenterStack is
made by Gladinet and it's a product that allows you to
expose various file shares like SMB and such via a simple
to use web interface. Now this web interface is written in
.NET. .NET, you probably have seen it, has these view
states. View states may be signed by the server using a
machine key. The problem here with CenterStack is that the
machine key wasn't properly protected. It's actually a not
so terribly unusual vulnerability for these types
of applications that rely on the view state being protected
by a machine key. The vulnerability is now addressed
with a patch. The patch also creates a new machine key for
us. However, the vulnerability has already been exploited for
a few weeks. They're saying sometime in March exploitation
started or at least started to be detected for this
vulnerability. So definitely apply this update quickly. And
then we got updates from Google for Android. This
update fixes 62 different vulnerabilities. Two USB
-related vulnerabilities are of particular interest here in
that they're both being exploited. One is allowing
access to confidential data. The other one in the USB audio
component apparently is what Malwarebytes, who has done a
little write-up on these two exploit vulnerabilities. So
that USB audio component vulnerability was apparently
used by Serbian law enforcement to gain access to
locked Android phones. Definitely want to address
these and update your phone as the particular update is
becoming available for your particular Android device. And
Broadcom released updates for VMware Tanzu. Now VMware Tanzu
has nothing really to do with their virtualization product.
It's part of their business intelligence product. It also
includes a backup product. And that's where a lot of the
vulnerabilities are located are being patched here. 47
vulnerabilities total, 29 of which apply to the backup and
restore component of VMware Tanzu. Many of these
vulnerabilities do allow remote code execution. So
definitely something that you do want to address quickly.
And according to Bleeping Computer, some users are
reporting all for a sudden seeing an inetpub directory on
their Windows systems after installing the latest Windows
11 update. This directory is usually used by IIS, by the
Internet Information Server, in order to serve files. That
component was not installed or enabled on those systems. So
for whatever reason, Microsoft decided to create that
directory. At this point, it appears to be safe to remove
that directory. But overall, it shouldn't really have any
impact. There's, of course, a slight chance that if you
start putting files in there and then later expose these
files via installing IIS, you may have a problem. So
probably the safe thing to do is just to remove that
directory if it's empty, if it's not already used for
other purposes on your system. And if you're using WhatsApp,
be aware there is a file spoofing vulnerability that
was being addressed in WhatsApp. The problem here is
that an attacker may send you a file that looks like a
harmless image, like a PNG, but actually then turns out to
be an executable once saved to your system. And SANS released
a new document, the Critical AI Security Guidelines. Now,
it's version 1.1, but even though it's labeled as version
1.1, it's pretty much, very much sort of a document in
flux, a living document summarizing what you need to
do in order to protect your AI workflows. This document still
is waiting for user input as well. Given that AI moves so
fast, I think it would be just wrong to release something
that is considered sort of done and ready as is. So take
a look at it. I'll, of course, add a link to the show notes.
And if anybody's interested, on Friday, I'll actually be
speaking for an ISSA event here in Jacksonville. It'll be
a little bit an encore of the sort of Internet Storm Center
run-through I did for InfraGuard a couple weeks ago
if anybody's interested. Also link in the show notes if you
want to register. And that's it for today. Thanks for
listening and talk to you again tomorrow. Bye.
