Hello and welcome to the Wednesday, October 22, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Incident Response. I mentioned yesterday talking about the
compromise of the Chinese standard time servers that we
have been collecting data about pool.ntp.org. These are
the NDP servers that are basically an open project.
Everybody can contribute their time server to it to make it
easy to synchronize your time. And a lot of systems, in
particular Linux systems, tend to use these NDP servers as
their default. Now, took some time today to go over the data
that we have collected just to see how accurate those time
servers are. And it turns out they are very accurate. I had
to use a double logarithmic scale to really show anything
here but a real tight spike. Most of these, and we're
talking here about more than 90% of the servers have an
accuracy of less than 10 milliseconds. And pretty much
all of them are less than 100 milliseconds. So, that
certainly is sufficient for most sort of small business,
home networks and the like to synchronize your time. And
again, remember there are two parts to it. This is the
synchronization to the external time standard. And
then, of course, you also have your internal synchronization.
The other thing here is you can contribute your own time
server if you want to. But they put a little bit of
warning out here that once you commit to it, you should
better stick to it. Because, well, people will keep
querying your time server even if they can't reach it. Also
added a link to the feed that we have. Basically, you can
look at the data yourself and check it out and see if you
see any oddities or such in this data. But also having a
list of NDP servers, these public NDP servers, can be
handy because you will see some of your systems reaching
out to these IP addresses. And I've seen in the past where
firewalls sort of blocked the responses if there aren't
really all that great in handling UDP statelessness.
And that can sometimes cause some false positives. So easy
then to discriminate against these false positives if you
have this list of NDP servers, Andy. This weekend on Sunday,
the ex-Ubuntu website was compromised. And download
links did point to malicious software. This malware was,
well, as often we were really lucky here. It was relatively
basic malware. Apparently, some kind of crypto coin
jacker that copies crypto coin addresses from the clipboard.
It makes itself persistent via registry entry. So nothing
really all that special. And antivirus often did alert on
this malware. So by now, I would think that antivirus
pretty much has taken care of it. And there wasn't really
sort of, as far as I've seen, anything more malicious or
more sophisticated behind this malware. There's no official
statement yet from the Xubuntu website. They just
disabled the download links for now. There is, however, a
statement from Sean Davis, who is one of the maintainers here
of Xubuntu, stating that they suspect or know that it's
some kind of WordPress compromise. And they're sort
of waiting a little bit on Canonical, the company behind
Ubuntu, to resolve this issue. The main Ubuntu site download
was not affected by this. So this was just Xubuntu. I
have no real idea how popular that is compared to the
official Ubuntu distribution. So whether or not people
prefer Xubuntu, I doubt it. I think it's probably at least
an order of magnitude or so less downloads than Ubuntu
itself. Either way, if you downloaded Xubuntu this
weekend and the entire compromise stretched for about
12 hours, I believe, on Sunday, you should double
check that you downloaded the right thing. And then, you
know, if you sort of manage a larger network, maybe go a
little bit hunting and see if anybody downloaded this
malware this weekend. Then let's talk about a couple of
vulnerabilities. First of all, SQUID, the proxy web server.
Well, it suffers from an information disclosure and
error handling. No idea why this was assigned a CSS score
of 10. Again, that certainly sounds inflated. Not a lot of
details here. But what usually happens in these kind of
vulnerabilities is that if you configure the default error
messages, if the user triggers an error, things like headers,
which may include authentication cookies and
such, are being echoed back as part of the body of the page,
which then, of course, can be accessed because now you're no
longer restricted by things like HTTP only or other
properties that may prevent JavaScript access and such to
the value of these cookies. So, yes, you want to address
this. It's not a 10. I would say probably something like a
7 or such, depending on how you exactly are able to
trigger this vulnerability. And then we have a
vulnerability notice for Lanscope. Endpoint Manager
affects the on-premise solution. A single malformed
network packet may lead to arbitrary code execution due
to this vulnerability. And apparently this vulnerability
is already being exploited. So, something that you must
patch quickly. And well, that's it for today. So,
thanks for listening. Thanks for liking and recommending
this podcast. And talk to you again tomorrow. Bye.
