Hello and welcome to the Wednesday, March 5th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Baltimore, Maryland. Now in our first seen URLs list, I
noticed an interesting pattern where we had a host that is
scanning routinely for the last month or so for leaked
credential files like your usual .env files and such.
They added some new files to their repertoire, smtp-token
.json and a second file that is smtp-keys. The problem with
these files is that, well, they likely contain SMTP
server credentials. It's not quite sure what particular
application these files are associated with, but Googling
comes up with the Janssen project. That is actually sort
of a set of identity management components and part
of their SMTP server configuration refers to these
files. Interesting, also a little bit sort of side note
that this particular system that is scanning for these
files now is associated with a distillery in Romania. Haven't
made contact with them yet, but I assume it's just another
compromised system and it's going after various credential
files for about a month now. And Jim today posted a second
diary. This diary is just a quick notice that Jim updated
his tool MacRobber.py. This tool is sort of a re
-implementation of the MacRobber tool that comes with
SleuthKit just in Python. And the latest version that was
actually released a couple of weeks ago does fix some issues
with following Simlinks. Simlinks. I think we got a
couple of vulnerabilities to talk about. So let's start
with Zoho's Ad Self Service Plus. This tool is important.
Well, because the ad here doesn't stand for
advertisements, but for Active Directory, it allows users to
manage their identity. And apparently they didn't get
their sessions quite right. So that allows the attacker to
gain information about enrolled users without
authentication. This vulnerability is mitigated if
you have two-factor authentication implemented,
which kind of sounds like a good idea. Anyway, for a tool
like this. And of course, there is now a patch available
fixing this session handling vulnerability. And Google
yesterday had its Android patch day for March. It's
significant so far as two of the vulnerabilities being
patched here, privilege escalation vulnerabilities,
one of them in framework, one of them in the kernel, have
already been exploited in some limited targeted attacks. As
these updates become available for your particular phone, you
probably do want to apply them rather quickly. There are also
a number of not yet exploited critical vulnerabilities, but
I'm sure that people are pretty much already working on
trying to find exploits for them right now. And Mavirbytes
is warning off an interesting new phishing and scam
technique to impersonate PayPal. PayPal offers to
merchants the no-code checkout option. What this really means
is that PayPal basically will create a checkout page for you
that you're able to heavily customize. But the page itself
is hosted within the paypal .com domain. So what attackers
are doing here is that they're signing up for these no-code
checkout pages. They're creating now a page that
doesn't really look like a checkout page, but instead
offers, for example, PayPal support phone numbers and
such. Because you pretty much can add whatever content you
would like to this page, which of course is branded by
PayPal. It's using the paypal .com domain. And then they are
advertising these pages via Google Ads. This makes it
really difficult for a victim to figure out that this is not
a legitimate PayPal page. Because, well, everything is
really hosted on PayPal's website. It's just that the
attacker added their own text to that particular page.
Interesting scam. And I wouldn't be surprised if other
similar services aren't vulnerable to this attack as
well. And Prodcom released updates for VMware vCenter,
fixing three different vulnerabilities with CVSS
scores up to 9.3. The worst outcome here is VMware Escape.
So if an attacker is able to take over one of your virtual
machines, they own your infrastructure. And these
vulnerabilities, according to Prodcom, are already being
exploited. So you definitely must patch now. But then
again, you probably shouldn't expose vCenter to the world.
Well, your virtual machine, on the other hand, you probably
can't help but to expose some content of them. And then one
virtual machine that's vulnerable would then be used
in order to, again, take over your infrastructure. So this
is a super critical vulnerability. Well, that's it
for today. So thanks again for listening. And thanks again
for any feedback received for all the good reviews. And if
you haven't gotten around to it yet, please check the five
stars. Check the like or whatever in your particular
podcast platform. And talk to you again tomorrow. Bye. Bye.
