Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday Mar 25th: Privacy Awware Bots; Ingress Nightmare; Malicious File Converters; VSCode Extension Leads to Ransomware
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9378.mp3
Privacy Awware Bots; Ingress Nightmare; Malicious File Converters; VSCode Extension Leads to Ransomware
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Privacy Aware Bots
A botnet is using privacy as well as CSRF prevention headers to better blend in with normal browsers. However, in the process they may make it actually easier to spot them.
https://isc.sans.edu/diary/Privacy%20Aware%20Bots/31796
Critical Ingress Nightmare Vulnerability
ingress-nginx fixed four new vulnerabilities, one of which may lead to a Kubernetes cluster compromise. Note that at the time I am making this live, not all of the URLs below are available yet, but I hope they will be available shortly after publishing this podcast
https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://kubernetes.io/blog/
FBI Warns of File Converter Scams
File converters may include malicious ad ons. Be careful where you get your software from.
https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
VSCode Extension Includes Ransomware
https://x.com/ReversingLabs/status/1902355043065500145
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, March 25th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, after yesterday's issue with Next.js and the interesting headers around that, I decided today to look a little bit closer at some of the headers being sent by bots against our honeypots and notice the use of a couple particular little bit odd headers. The first one, sec-gpc, this is a header that's specifically designed to indicate your privacy preferences. This is, I see it as a replacement for the do not track header, which of course we all know kind of spectacularly failed. This new header is a little bit more aligned with GDPR and other regulations like this. So apparently they hope that in doing so, there will be more acceptance of that header. At this point, only Firefox actually adds it. There are a couple other headers that I saw. All of them start with the sec-prefix, which just indicates that, hey, this is not created by JavaScript. That's really all that means. There's nothing so particular secure kind of other than that fact about these headers. Makes it a little bit easier for browser developments to decide what they should allow JavaScript to set and what, well, JavaScript must not set. The reason that bots add these headers is typically in trying to impersonate real browsers better. Now, the sec-gpc header is a little bit odd here because, well, it is only run by Firefox, and they're using user agents that are not Firefox. So in some ways, they're actually giving away that this is not a normal browser. And of course, for the attacks they're trying to attempt here, well, these headers are more or less meaningless. These headers are really just preventing a cross -out request forgery, which, of course, for a bot scanning websites, well, doesn't really mean anything. Anyway, interesting here, if you want to do some browser profiling and maybe block browsers with a sort of odd header combinations, a lot of web application firewalls do support something like this. It's not necessarily a terrible idea to do that. It cuts down on the noise against your web server. But, of course, now we all realize that a little bit more sophisticated attacker, well, will easily be able to replicate a real browser. But basically what it means is you have to be at least this tall in order to attack your website. And the FBI's Denver field office is warning that they're seeing a lot of malware being installed because people install malicious file conversion software. Of course, that's a common problem. Nothing really terribly new, but probably worthwhile reiterating in particular with less technical people. If you're going to Google, you're searching for a JPEG to PNG converter and the top results aren't necessarily legitimate software. You may end up with just straight malware or malware plus the application that you were looking at. And, of course, that application can do whatever it wants because you executed it. Just, I think, two weeks ago we had this DIACOM, these medical image format viewers that were advertised like this and then turned out to be malicious. Any software is potentially vulnerable to this. This is not a vulnerability necessarily in your operating system or in particular software. So just make sure that you know where you download your software from. And if possible, stick with some reputable app stores that come with your operating system. That's probably for non-technical users of the simplest advice to follow. Yes, there are exceptions here where this may fail you too, but you're much less likely to get malicious software that way. Just to make the point that, well, these official stores aren't always safe, reversing labs published a post on X stating that they found two malicious Visual Studio Code extensions in the official extension store. Now, they have been removed by now. The saddest part, I think, about this particular case is that these malicious extensions were, well, utterly useless. They were called Shiba and I think there was another one, forgot what it was exactly called. But, well, the Shiba one, it basically made a Shiba emu theme for your Visual Studio Code, including some dog howling noises. And what you ended up with here is ransomware. Okay, minimize the amount of software that you are installing. So, if you install something like an extension, like software, well, make sure you actually need it and it does something useful. So, if the incident response team comes to your desk and asks you, well, you know, why did you install the extension that just encrypted all of our payroll files? The answer shouldn't probably be, well, I wanted my code editor to howl like a dog. Well, and this is it for today. So, thanks for listening and talk to you again tomorrow. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 