Hello and welcome to the Tuesday, March 25th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, after yesterday's issue with
Next.js and the interesting headers around that, I decided
today to look a little bit closer at some of the headers
being sent by bots against our honeypots and notice the use
of a couple particular little bit odd headers. The first
one, sec-gpc, this is a header that's specifically designed
to indicate your privacy preferences. This is, I see it
as a replacement for the do not track header, which of
course we all know kind of spectacularly failed. This new
header is a little bit more aligned with GDPR and other
regulations like this. So apparently they hope that in
doing so, there will be more acceptance of that header. At
this point, only Firefox actually adds it. There are a
couple other headers that I saw. All of them start with
the sec-prefix, which just indicates that, hey, this is
not created by JavaScript. That's really all that means.
There's nothing so particular secure kind of other than that
fact about these headers. Makes it a little bit easier
for browser developments to decide what they should allow
JavaScript to set and what, well, JavaScript must not set.
The reason that bots add these headers is typically in trying
to impersonate real browsers better. Now, the sec-gpc
header is a little bit odd here because, well, it is only
run by Firefox, and they're using user agents that are not
Firefox. So in some ways, they're actually giving away
that this is not a normal browser. And of course, for
the attacks they're trying to attempt here, well, these
headers are more or less meaningless. These headers are
really just preventing a cross -out request forgery, which,
of course, for a bot scanning websites, well, doesn't really
mean anything. Anyway, interesting here, if you want
to do some browser profiling and maybe block browsers with
a sort of odd header combinations, a lot of web
application firewalls do support something like this.
It's not necessarily a terrible idea to do that. It
cuts down on the noise against your web server. But, of
course, now we all realize that a little bit more
sophisticated attacker, well, will easily be able to
replicate a real browser. But basically what it means is you
have to be at least this tall in order to attack your
website. And the FBI's Denver field office is warning that
they're seeing a lot of malware being installed
because people install malicious file conversion
software. Of course, that's a common problem. Nothing really
terribly new, but probably worthwhile reiterating in
particular with less technical people. If you're going to
Google, you're searching for a JPEG to PNG converter and the
top results aren't necessarily legitimate software. You may
end up with just straight malware or malware plus the
application that you were looking at. And, of course,
that application can do whatever it wants because you
executed it. Just, I think, two weeks ago we had this
DIACOM, these medical image format viewers that were
advertised like this and then turned out to be malicious.
Any software is potentially vulnerable to this. This is
not a vulnerability necessarily in your operating
system or in particular software. So just make sure
that you know where you download your software from.
And if possible, stick with some reputable app stores that
come with your operating system. That's probably for
non-technical users of the simplest advice to follow.
Yes, there are exceptions here where this may fail you too,
but you're much less likely to get malicious software that
way. Just to make the point that, well, these official
stores aren't always safe, reversing labs published a
post on X stating that they found two malicious Visual
Studio Code extensions in the official extension store. Now,
they have been removed by now. The saddest part, I think,
about this particular case is that these malicious
extensions were, well, utterly useless. They were called
Shiba and I think there was another one, forgot what it
was exactly called. But, well, the Shiba one, it basically
made a Shiba emu theme for your Visual Studio Code,
including some dog howling noises. And what you ended up
with here is ransomware. Okay, minimize the amount of
software that you are installing. So, if you install
something like an extension, like software, well, make sure
you actually need it and it does something useful. So, if
the incident response team comes to your desk and asks
you, well, you know, why did you install the extension that
just encrypted all of our payroll files? The answer
shouldn't probably be, well, I wanted my code editor to howl
like a dog. Well, and this is it for today. So, thanks for
listening and talk to you again tomorrow. Bye.
