Hello and welcome to the Monday, March 10th, 2025
edition of the Sands and Storm Center's Stormcast. My name is
Johannes Ullrich and today I'm recording from Jacksonville,
Florida. In diaries this weekend, well, just a quick
little diary about web shells. Web shells certainly still a
thing that actually came up as a question in class last week.
Yes, we do still see quite a bit of web shells. Now, many
of these web shells use kind of random names, but there are
a couple that stick out for being probed quite a bit. So
probably want to check your web servers if these files are
present. But what you really need to do is nail down your
production lifecycle of your web applications so you
actually know what files are supposed to be on your web
server. And that makes it a lot easier to figure out,
well, if something got added. These web shells are typically
being added either via file upload vulnerabilities. That's
sort of a more straightforward way. Or what's also happening
quite a bit is that they're being uploaded using command
injection vulnerabilities, where essentially the attacker
is just executing a wget, the curl command or something like
this, in order to download the web shell to the system. Well,
and this weekend at RootedCon in Madrid, researchers from
TorLogic did present about some undocumented commands in
the very popular ESP32 chipset. ESP32 is made by
Expressif, and it's a system -on-a-chip, so it has a CPU,
but also does have Wi-Fi and Bluetooth interfaces. And,
well, it's extremely cheap, like you can buy them on eBay
or Amazon for a couple dollars retail. These chipsets show up
in millions and millions of IoT devices, so any problem
with these chipsets is certainly concerning. The
problem that TorLogic found was that there are a number of
commands that can be sent over Bluetooth that enable some
hidden functionality, some of this functionality with
significant security impact, like, for example, the ability
to read memory. Anyway, undocumented features in CPUs
is nothing new. This has happened to pretty much any
CPU manufacturer. Often they are just not well documented.
Sometimes these features weren't meant yet to be ready,
but they work well enough for people to still use them. So
don't really know exactly what happened here. ESP32, the
platform, had similar issues in the past. For example, for
the Wi-Fi interface, there was sort of a hidden way to set it
into promiscuous mode that then, of course, was used by
many sort of cheap wireless sniffing tools and such that
people built around these chipsets. The paper is
interesting. I haven't read all the details yet, looked a
little bit at the presentation, but it's in
Spanish. The press release also points out that the point
of the presentation is not so much releasing, well, that
there are these ESP32 hidden commands, but really more
about releasing a tool set that was used to actually find
these hidden commands to make it easier for pretty much
anybody to do a security audit of these and other similar
chipsets, because that's certainly something that we
see more and more of in the IoT space and also industrial
control systems and the like. But you have these fairly
small and cheap systems on a chip that are implementing
various wireless interfaces. And of course, Bluetooth has
always been a little bit more difficult to access to sort of
your average user, given some of the constraints around how
Bluetooth is defined. And then a little bit of warning that,
well, fake news can also affect security news. Earlier
today, someone sent me a link to a LinkedIn post by a very
well-respected security researcher. This post claimed
that, well, RSA is dead and can easily be decrypted. The
problem is that I very much so believe that this particular
post was really just meant as a joke. If you know enough
about RSA, you probably realize it's a joke, but,
well, not many people really do know that much about RSA
and then amplified that message. So if you're seeing a
LinkedIn message like that or on other social media, be
aware it, in my opinion, is really just a joke that maybe
went a little bit too far. Now we have an interesting case
study from security consulting company S-RM. They discovered a
malware that spread on an enterprise network via
webcams. Now, webcams are often associated with attacks
against home networks, but, of course, enterprise networks
have them as well, either for security, for video
conferencing and various systems like that. This is,
again, an IP-connected standalone camera, so not one
that was connected via USB to a particular computer. But
what apparently happened here is that after initially
breaching the network, the attacker did sort of gain a
foothold on that camera and then used it to essentially
pivot across the network and attack various other systems
using SMB file shares. I think this is something, a good
lesson here, in part because over the last few years, a lot
of focus has gone towards endpoint detection response or
EDR. Well, please don't forget the network here because
devices like this are usually not well covered when it comes
to EDR. Well, and this is it for today. So thanks for
listening and talk to you again tomorrow. Bye.
