Podcast Detail

SANS Internet Stormcast Feb 6th 2025: com- prefix domain phishing; Win 10 ESU pricing; Firewall CT Policy; Veeam and Netgear patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9312.mp3

previous
next
Podcast Logo
com- prefix domain phishing; Win 10 ESU pricing; Firefox CT Policy; Veeam and Netgear patches
00:00

Phishing via com- prefix domains
Every day, attackers are registering a few hunder domain names starting with com-. These are used in phishing e-mails, like for example "toll fee scams", to create more convincing phishing links.
https://isc.sans.edu/diary/Phishing%20via%20%22com-%22%20prefix%20domains/31654

Microsoft Windows 10 Extended Security Updates
Microsoft released pricing and additional details for the Windows 10 extended security updates. For the first year after official free updates stopped, security updates will be available for $61 for the first year.
https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates

Mozilla Enforcing Certificate Transparency
Mozilla is following the lead from other browsers, and will require certificates to include a certificate signature timestamp as proof of compliance with certificate transparency requirements.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA/m/Q4c89XG-EAAJ
https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies

Veeam Update
Veeam's internal backup process may be used to execute arbitrary code by an attacker with a machine in the middle position.
https://www.veeam.com/kb4712

Netgear Unauthenticated RCE
https://kb.netgear.com/000066558/Security-Advisory-for-Unauthenticated-RCE-on-Some-WiFi-Routers-PSV-2023-0039

Podcast Transcript

 Hello and welcome to the Thursday, February 6th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Well, today I wrote up some of these
 toll-smishing attacks. You probably got a few of them
 yourself over the last year or so. The setup is always the
 same. You're receiving a smishing message telling you
 that you're overdue in paying the tolls, the highway tolls
 for your car. And it offers you a link to who then pay the
 tolls. Now, the attackers here are pretty good in sort of
 customizing these messages somewhat. For example, myself
 living in Florida, I am usually receiving messages on
 my Florida phone number that refer to SunPass, the Florida
 toll system. The domains being used here often use SunPass as
 part of the host name. So a typical host name would be
 sunpass.com, then a dash, followed by some random
 characters. And that's something that you may be able
 to use to detect users in your network that may have fallen
 for one of these scams. Take a look if there are any DNS
 lookups or HTTP requests for anything where the domain name
 starts with com-. We do see about 100 to 500 of these
 domains being registered daily. I don't think block
 lists are that effective because these domains are very
 ephemeral. They use them only for a very short time. But in
 hindsight, it may help users if you identify anybody who
 may have clicked on one of those links. Very importantly,
 with these links, they usually tell you to reply to the
 message with a Y. This is in order to make it more
 difficult for phone companies to identify these messages.
 That way, the message looks more organic in the sense that
 there is traffic going forth and back to the number. In my
 case, and that's very typical for some of the messages I've
 seen, the number was actually a Philippine number, which
 makes it pretty obvious that it's bad. But on a mobile
 device, where it's often not that visible, it's somewhat
 easy for a victim to fall for these scams if they use tolls
 a lot and maybe expect a message like this. Always
 remember that for most recipients, these messages
 don't work. But there are always a couple people who are
 just essentially being caught in a bad moment and are then
 clicking and falling for these scams. On the little
 postscript here, I also saw some that used tax dash for
 tax scams. So that's definitely used as well. Maybe
 not quite as common right now as the toll messages. But,
 well, maybe we'll see more of that shortly as we approach
 the tax filing deadline here in the U.S. And we all know
 Windows 10 will soon no longer receive any security updates.
 Well, in case you try to keep Windows 10 machines alive,
 Microsoft now published some pricing for its extended
 security updates. Year one will cost you $61 per machine.
 So maybe that's an incentive to upgrade to Windows 11. But
 as always, Windows systems with older versions tend to
 keep hanging around. We've seen this with Windows XP,
 certainly Windows 7 somewhat, hopefully a little bit less
 with Windows 10. And in the future, of course, that's an
 issue that will continue to come back. So better take
 notes and make sure you know what versions of Windows you
 need to keep alive and on what systems you may need to keep
 them alive.
 Well, in TLS is one of those protocols that keeps on giving
 in the form of many, many subtle updates that keep
 happening. Latest example is that Mozilla announced Firefox
 will now enforce certificate transparency. Certificate
 transparency are logs maintained by certificate
 authorities. They're mandatory. They're mandatory.
 And in the certificate, you should have a signed
 certificate timestamp, typically from at least two
 different transparency logs that contain a record for your
 certificate. If these SCTs, these signed certificate
 timestamps are not in your certificate, then Firefox will
 no longer trust the certificate. I believe
 actually Google Chrome and Safari have already been doing
 some form of this. In some cases, it may depend on how
 long the certificate is valid for. And for longer valid
 certificates, you may need more timestamps. The big issue
 here are internal certificate authorities, which often don't
 have certificate transparency logs. By default, this policy
 is enforced for internal certificate authorities, but
 you may disable that using an enterprise policy. So keep
 that in mind if you all for a sudden get complaints from
 users that they get bad certificate messages. And
 we've got a couple of updates to talk about. First of all,
 Veeam, the backup solution. Well, a common participant
 here in the show. You may call him a friend of the show. The
 critical vulnerability being addressed in Veeam is a
 problem with their internal updater. It doesn't verify the
 software properly. So there's a machine in the middle attack
 here that would allow an unauthenticated attacker to
 execute arbitrary code, essentially by inserting a
 malicious backup. And then we also have an update from
 Netgear for its Nighthawk Pro gaming router. Again,
 arbitrary code execution is possible here. Did I mention
 this week already that it's a good idea to have sort of a
 monthly reminder in your calendar to tell you to double
 check if your router firmware is up to date? Well, and
 that's it for today. So thanks for listening and thanks for
 all the feedback I'm getting. Thanks for the recommendation
 as always. If you have a second, please click the five
 stars in your podcast app, subscribe, or even better,
 leave a quick positive review. Thanks and talk to you again
 tomorrow. Bye.