Hello and welcome to the Wednesday, July 16th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Washington, D.C. And this episode is brought to you by
the SANS.edu Graduate Certificate Program in Cyber
Defense Operations. Xavier has recently been zooming in a
little bit on alternate data streams and today in his diary
he presents yet another find, a Python script that
implements a keystroke logger and stores that data in an
alternate data stream. In addition to keystroke log
data, it also adds clipboard content to the file that could
then later be exfiltrated. That exfiltration is not
implemented in the script that Xavier found. It's just the
collection of the data. The file is also marked as hidden,
which I guess is supposed to make it a little more
difficult to find. Of course, attributes like this aren't
always that common, so they could also be used as an
indicator to find a suspect file. Same for alternate data
streams. All the data streams I've talked about in the past,
they're being used for the zone identifier or the mark of
the web. However, otherwise not that terribly common.
Well, Xavier shows a PowerShell script that you can
use to easily find and extract some basic information about
alternate data stream to find potential malicious ones, or
at least suspicious ones that probably should have looked a
bit closer. And Mac users, be aware, there is yet another
malvertising campaign out there trying to get you to
install a malicious version of Homebrew. Homebrew is a very
popular package manager for macOS that allows you to
install a lot of great open source tools. In this
particular case described by Deriv Tech, a user that
attempted to Google Pro install or install Pro, and
was then presented with a malicious advertisement that
directed them to a GitHub page. GitHub is used by
Homebrew, but in this case, the user was presented with a
malicious install script that did install the actual
authentic Homebrew, but also installed additional malware.
As usual, be careful what you install and where you get your
software from, but these cases are sometimes fairly difficult
to detect, in particular with someone who is not familiar
with the particular software. And the blog post by Eleftherios
Panos with security company LRQA did reveal details
regarding a recently patched vulnerability in Broadcom's
Symantec Altiris Inventory Rule Management System. This
system listens on port 4011. It uses the .NET remoting in
order to implement the listening port, but it uses it
in a well-known vulnerable configuration, which can
easily be exploited using existing standard .NET
remoting exploiting tools, as the vulnerability is just a
simple deserialization vulnerability in this tool
that is often used and, again, has been used in the past in
the same insecure configuration. Broadcom has
released a patch back in June, and now we do have all the
details on how to exploit this vulnerability, so better make
sure that you are patched and do not expose port 4011 to the
Internet. And one thing that doesn't go away are attacks
against developers. We have yet another example. I have
been talking about malicious extensions for a couple of
years now. This latest example was a malicious extension
against Cursor AI. It was used against Russian crypto coin
developer who, in the process, lost $500,000 worth of
cryptocurrency. Kaspersky documented it as part of their
SecureList blog. And apparently what happened is
the developer installed a new machine, so installed a new
operating system. And with that, of course, reinstalled
some of the tools that they were using. And one of those
tools was Cursor AI, including an extension that helps with
syntax highlighting. This extension was downloaded from
OpenBSX. I mentioned that, I think, last week because of a
vulnerability there. But this particular issue is unrelated
to this vulnerability. It's just simply a malicious
extension that was uploaded by the malicious actor and then
used to steal secrets. And with that, steal secrets that
were used to secure the developer's crypto coin
wallet. Well, and that's it for today. So thanks again for
listening. If you are here at Science Fire, I am actually,
my classroom is down on the concourse level. If you want
to pick up any stickers, we also have our little command
center here on Thursday. Guy and Jesse will be there again.
And we have stickers, we have demos and such. If you want to
learn more about Internet Storm Center and our Honeypots
and how all works also Thursday evening, don't forget
we have our Honeypot Workshop, which also includes a Honeypot
giveaway. So thanks for listening and talk to you
again tomorrow. Bye.
