SANS Stormcast Wednesday Feb 26th: M365 Infostealer Botnet; Mixing OpenID Keys; Malicious Medical Image Apps

February 25, 2025

Episode Transcript

Massive Botnet Targets M365 with Password Spraying
A large botnet is targeting service accounts in M365 with credentials stolen by infostealer malware.
https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
Mixing up Public and Private Keys in OpenID
The complex OpenID specificiation and the flexibility it supports enables careless administrators to publich private keys instead or in addition to public keys
https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html
Healthcare Malware Hunt Part 1:
Medial images are often encoded in the DICOM format, an image format unique to medical imaging. Patients looking for viewers for DICOM images are tricked into downloading malware.
https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday, February 26, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Security Scorecard published a write-up about Botnet. They have observed attacking Microsoft 365 accounts. And what's a little bit different here is that they're not sort of going after normal user accounts, but instead they're going after accounts used by automatic scripts. And with that, of course, you often don't have the ability to do things like two-factor authentication. In this particular case, they're attacking accounts that are using basic authentication, which means you typically have a static username and password, some kind of API key. And well, a recent NIST guidance, for example, specifically suggested to move away from API keys. And one of the big reasons behind that was that API keys tend to be difficult to rotate. If you do need to design some kind of API and web services access, the standard method these days is often OAuth. Now, OAuth is not really safe from some of these info stealer types. But in addition to that, you probably also want to make sure that development and production environment are cleanly separated because info stealers tend to infect developers and not so much in production environments. And as such, if an info stealer steals credentials from a developer, then, well, they can't be used against the production environment. It may also be worthwhile looking into like canary tokens here. That's a nice little trick that can help you identify some of these attacks. Now, security scorecard did publish a bunch of indicators of compromise here with the report, but we all know that they were out of date the moment they were put into that document. And sticking with authentication here for another story, there is a blog post by Hanno Böck looking into misconfigured OpenID setups. OpenID, well, I just mentioned OAuth and the two are related, is commonly used as a standard in order to support a single sign-on. And one interesting thing about OpenID is as part of the standard, there's a standard URL at which you can retrieve the configuration for an OpenID server. This configuration file does include public keys or well, it should include public keys in order to verify any assertions that were signed by this particular OpenID server. However, as Hanno found out, some misconfigured servers are also offering private keys. This is a little bit based on sort of the flexibility of OpenID. It can use symmetric as well as asymmetric signatures. Asymmetric signatures, you only get the public key. Well, symmetric ones, you get the key, which of course is public and private, and should not be leaked to the public. But yes, misconfigurations happen. And Hanno did take a look at the, I believe it was the 100,000 biggest files based on one of the standard top web server lists. Only found nine that were misconfigured, but still nine servers out of the 100 ,000 most popular web servers. And of course, not all of them offer a single sign-on with OpenID were misconfigured and did leak private keys. Looks probably worse when you're looking at smaller setups that are not necessarily as prominent and as often probed as these top web servers. And definitely something that you do want to review in your own OpenID configuration. And if you were ever subjected to any medical imaging, you may have been given by your doctor or the lab CD or DVD with the image file. Well, that image file was likely in a format called DICOM. And DICOM is a standard medical image format. And then of course, you wanted to look at the images yourself. Well, I remember doing this myself a couple of years back, and the image viewers I found were kind of hokey. They didn't really look sort of like real software per se, a little bit sort of antiquated in their UI. And it looks like that Chinese threat actor now is taking advantage of that by offering back door image viewers for the DICOM format. ForScout has a little write up about this. But essentially, this group is publishing malicious DICOM viewers that unsuspecting users that like I did years ago, just search Google for a random, more or less DICOM viewer, maybe search some of the app stores, then end up with these malicious versions. Not sure what to tell you about how to fix this. I think your best bet is probably to stick with the official app stores for some of these applications, even though even those applications, like I said, the UI looks a little bit clumsy, not sort of as polished as you usually expected from commercial software, at least the software I ended up with. Hope I didn't end up with any back door software back then. Well, and this is it for today. Thanks for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show