Hello and welcome to the Tuesday, March 4th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Baltimore, Maryland. Well, and today we have a great diary by
Didier showing some of the details of the mark of the
web. That's a feature that we have covered a few times
already in the podcast, usually because it didn't get
properly propagated to different file formats
depending on, for example, zip file extraction software,
things like ISO images and the like, where the mark of the
web is lost in transfer. So the purpose of the mark of the
web is to indicate to the system that this file has been
downloaded from the Internet so the user can be presented
with a warning if this file is executable and the user is
attempting to execute it. On Windows, the mark of the web
is implemented as an alternate data stream, which is
supported by the NTFS file system, but not all file
systems, and with that, not all archive utilities do
properly support alternate data streams, which explains
some of the limitations around the mark of the web
implementation on Windows. Didier also shows a little bit the
details here. So first of all, the mark of the web is
essentially a little text file, like an alternate data
stream, and it includes, first of all, zone information that
indicates where the file came from. So there are zones one
through four that will then tell you three, for example,
would be this was downloaded from an external website. In
addition, you may find things like the URL the file was
downloaded for, the referrer, basically how was the user
directed to that URL. However, those details then also depend
on things like the incognitive mode in the browser because
that would potentially leak private information. So if you
are in incognito mode, you don't get all of those
details. Interesting overall, and also like the little hack,
how you look at the content of the mark of the web at that
alternative data stream, just in notepad, by specifying the
alternate data stream as part of your file name as you open
it. And Fortinet published an interesting piece of research
regarding some recent phishing attacks that they have
observed. They start with a simple email that contains an
HTML attachment. The HTML attachment is something that
I've actually seen more and more recently. I think we have
also written some diaries about this. It's what Fortinet
calls click fix. And what it refers to is if the user opens
the particular HTML document, they're presented with an
error message. The error message then instructs them to
copy-paste code to execute it. Yes, users will do this. The
user here doesn't really realize what they're doing, of
course. And that will execute then a PowerShell script that
installs additional malware. Another sort of interesting
tidbit here is that the downloads are coming from a
SharePoint site that the attacker set up and then they
just use the Graph API in order to interact with that
SharePoint site. This way, it also becomes quite difficult
for inter-retection tools and other tools to detect the
attack because, first of all, the initial email is just an
HTML email. There is nothing sort of executable really in
that HTML. It's not like JavaScript or anything like
this that's often associated with malicious HTML. Well, the
user here essentially exploits themselves by copy-pasting
that PowerShell script. And secondly, all the interaction
with SharePoint, of course, may not necessarily trigger
alerts because that's usually considered a valid business
resource and something that you may use for lots of other
purposes. Then an interesting noteworthy vulnerability is we
do have a vulnerability in the Paragon Partition Manager.
Actually, it's not a software itself or part of it. It's
really the driver that's being delivered with that software.
That's a kernel-level driver. And as such, it's digitally
assigned to be trusted to operate at the kernel level,
which will you need if you are trying to manage partitions.
The problem is that versions prior to version 2 are
vulnerable to actually a number of different
vulnerabilities, one of which is now being exploited by
ransomware gangs for privilege escalation. It's a little bit
of a tricky thing. So, first of all, yes, you should update
Paragon Partition Manager if you run it, but this is even a
problem if you never installed this software because an
attacker may install that driver for you and then use it
for privilege escalation. Microsoft did add this driver
to its vulnerable driver block list, so make sure you have
that implemented. But there have been issues with that
vulnerable driver block list in the past, so not sure how
well this works these days. Maybe add some signatures as
such to detect these older versions of the driver just as
outright malicious if you're not using this software. And
yes, of course, definitely upgrade if you are using this
software. Well, and that's it for today. Thanks for
everybody who noted that I forgot to actually add this
outro yesterday. Sorry for that. Just forgot to splice it
in. At the end, if you are interested in taking the
Introduction Detection class with me that I'm teaching this
week here in Baltimore, I'll actually be back in Baltimore
with the same class first week of June. Links to future
classes, you'll always find them below the show notes for
the podcast. Thanks and talk to you again tomorrow. Bye.
