Hello and welcome to the Tuesday, December 9th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in Purple
Team Operations. I would imagine that many of you
listening have seen a device being advertised the Nano KVM.
KVM stands for Keyboard Video and Mouse Switcher, which is a
little IP accessible device that gives you remote access
to the keyboard, video, and mouse of a particular device
that you connect it to. Now, this device does not scream
secure. It screams cheap and it's advertised as the
cheapest possible device to accomplish this IP access to
your keyboard and video screen. So a little cheap way
to get basically remote access to a system, even if like no
power fails and the like, which is definitely something
nice to have. And I have actually one here at home and
I've been playing with it and definitely it works. But of
course, the security aspect here comes in, in particular,
since the device has had a number of clearing security
faults, like bad hashing and encryption of passwords,
things like an SSH server is enabled by default with
default password. And researchers had had a hard
time to convince the maker to fix some of these
vulnerabilities. The latest issue is that the entire
firmware update process is insecure. In particular, the
update of a binary blob that's sort of the proprietary part
of these devices. So that, of course, now opens up the
possibility of evil updates being slipped in here. The
other thing that came out this week was that the motherboard
of the device includes a microphone with no obvious
reason for the microphone to be here. Now, of course, there
were a lot of suggestions about spying and such. There
may actually be a benign explanation for the
microphone. This company also makes a little system on a
chip, sort of a single board computer that's based on the
exactly same motherboard as this KVM. The KVM was really
just sort of an application of this single board computer.
And yes, that single board computer does have a
microphone. The microphone is advertised in the product
description. So it's not something that's hidden, even
though, of course, it's a little bit hard to find based
on it being a really, really small sort of surface mounted
microphone on the board. You can always, well, remove the
microphone, even though it's a little bit tricky because of
the small size of it. There's also now an effort underway to
create sort of a more third party open source version of
the firmware that's based on standard Linux distribution.
So if you don't trust the manufacturer, you could always
switch to one of those solutions. Haven't really
tested them yet to see how reliable they are and how well
they function compared to the official firmware. But then
again, remember, never ever expose these devices to the
Internet. And Barracuda is reporting about a new phishing
kit that they're calling Ghost Frame that uses iframes in
order to evade detection. The way this particular phishing
kit works is that the phishing mail and web page itself is
just simple benign HTML that's not triggering any kind of
phishing detection rules. And then inside that HTML page, an
iframe loads the actual login part of the phishing page. So
that way it's not being detected as easily by any
defensive mechanisms. The other little trick here is
that this iframe loads this page from a random or not
really random, but the unique subdomain. So the attacker
uses a particular subdomain and then just has a prefix, a
long random looking string, which basically encodes the
recipient. And that way they can load the right login page
for the right victim in a scalable automated manner.
That's a little bit like some of these phishing sites where
you sort of get automatically your company logo also being
displayed based on some URL parameters. In this case,
they're not using URL parameters. They're just using
the first label of the host name. And WatchGuard did
release an update for its Firebox appliance. This update
fixes 10 different vulnerabilities. Five of them
are rated high. None of them is rated critical. There was
one vulnerability that sort of scared me a little bit
initially when I read the title. And that was like
memory corruption in the Ike demon. That's actually a
component that has been a vulnerable in various IPsec
instances in the past. In this particular case, an
unauthenticated attacker may cause a denial of service. But
again, only a denial of service and only in fairly
specific configurations. So nothing I would be too worried
about. There's an interesting expat vulnerability that I
think could actually turn out to be more severe. It could
lead to internal configuration leaks and does not require
authentication in order to exploit it. So that may be one
of those vulnerabilities where the right attacker that's a
bit more creative in what they're looking for can
actually cause some damage. So apply the update. Again,
nothing critical here. But something probably you want to
get patched by the end of next week. Well, and that's it for
today. So thanks for listening. And one special
request. If you are using the Apple Podcast app in order to
listen to this podcast, I would appreciate a review. So
please and thank you and talk to you again tomorrow. Bye.
