SANS Stormcast Friday, April 18th: Remnux Cloud Environment; Erlang/OTP SSH Vuln; Brickstorm Backdoor Analysis; GPT 4.1 Safety Controversy

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9414.mp3

previous

Remnux Cloud Environment; Erlang/OTP SSH Vuln; Brickstorm Backdoor Analysis; GPT 4.1 Safety Controversy

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, April 18th, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Orlando, Florida. Today we got another guest diary by one of
 our undercredit interns. Jacob Claycamp did write about how
 to get started in malware analysis. Of course, we have
 plenty of diaries always about malware analysis. Didier and
 Xavier most notably are heavily contributing to this.
 This is more the beginner's view of malware analysis and
 sort of how to get started with malware analysis using a
 cloud-based system. A couple of interesting parts here.
 First of all, Jacob is using AWS, a free instance, and then
 uses Chasm Workspace in order to essentially get a remote
 desktop into a container which then runs Remnux. This is
 Lenny Zeltzer's reverse analysis environment. All of
 this is Linux-based and since it is set up in a container,
 it's also easy to reset. And the cloud deployment, of
 course, makes it nice and isolated from anything that
 you may have going on in your home network. Overall,
 interesting setup. And then Jacob is going over a quick
 analysis of a redtail sample and how to apply this
 particular environment to the analysis of this particular
 malware. Interesting write-up and nice step-by-step guide to
 help you get started. And then we have a critical
 vulnerability affecting the Erlang OTP SSH library. This
 affects any SSH servers written in this language. The
 vulnerability was found by researchers at the Rue
 University in Bochum. Now, the OTP here in Erlang OTP does
 not stand for one-time password. Instead, it does
 stand for the Open Telecom Platform. This particular
 version of Erlang was created and maintained initially by
 Ericsson and is often used in telecom-related devices,
 routers and the like. So, certainly there is quite a
 number of affected devices out there. The CVSS score of the
 vulnerability is a perfect 10 .0 because it does allow for
 arbitrary code execution without authentication. The
 problem is that some SSH messages, some SSH protocol
 messages can be sent and executed before authentication
 finishes due to this bug. And that then leads to arbitrary
 code execution. Now, the user this code executes at depends
 on the user the SSH server is running at, at the time it
 receives these messages. Definitely upgrade, but of
 course, since this is a vulnerability in the library
 used to create the SSH server, you may have to wait for
 respective vendors to actually release updates here. In the
 meantime, the only alternative you have is to disable or
 firewall the SSH server. In Belgium, security company
 Inviso did release a report with details regarding some of
 their recent findings of the BrickStorm backdoor.
 BrickStorm has been used in Linux, in particular in sort
 of VMware environments, but now they also found a version
 of this backdoor on Windows. There are a couple interesting
 things to note here. Unlike most backdoors, this backdoor
 actually does not have a remote code execution
 capability. They say that typically RDP and such is used
 instead by the attacker and that they specifically didn't
 include a remote code execution capability to evade
 some heuristic and behavioral detection that you often find
 that would flag any code execution behavior. Instead,
 this particular backdoor is able to read, write files from
 the file system. It also has some network components that
 would allow an attacker to essentially use an affected
 system as a pivot to scan other systems in the network.
 So certainly a capable piece of malware. Also interesting
 as a command control channel, they're using Cloudflare
 workers and similar systems that again are less likely
 going to trigger alerts. Interesting report and it also
 includes some good indicators of compromise and ways and
 techniques how you can actually find if you are
 affected by this particular backdoor. And OpenAI released
 its latest greatest model, GPT 4.1, but this didn't happen
 amid some controversy around the security aspects here.
 First of all, this model was released without the usual
 safety reports or system cards, which typically outline
 how this particular model was created to be safe, meaning
 not, for example, allowing to create malware. Well, and
 apparently some of these safeguards that you often find
 in these models are missing from GPT 4.1, making it
 trivial to create malware with this model. Interesting
 problem here, and I'm not sure if this will be something that
 OpenAI will fix in short notice, but definitely we have
 seen malicious models, of course, before, but not from
 major vendors like OpenAI. Well, that is it for today.
 Well, that is it for today, so thanks again for listening,
 and thanks everybody who I met here, all of you listeners at
 the event here in Orlando, and we'll talk to you again on
 Monday. Bye.