Podcast Detail

SANS Stormcast Friday, August 1st, 2025: Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9552.mp3

previous
Podcast Logo
Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform
00:00

Scattered Spider Related Domain Names
A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains
https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162

Excel External Workbook Links to Blocked File Types Will Be Disabled by Default
Excel will discontinue allowing links to dangerous file types starting as early as October.
https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58

CISA Releases Thorium
CISA announced that it released its malware analysis platform, Thorium, as open-source software.
https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

Podcast Transcript

 Hello and welcome to the Friday, August 1st, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Yesterday, CISA, in
 collaboration with other government agencies, published
 an updated report about Scattered Spider. It's not the
 first time they published a report about this group, but
 as I mentioned yesterday, they updated some of the social
 engineering kind of techniques being used by the group, but
 also included sort of the usual indicators of
 compromise. And the one part that I was kind of interested
 in was the new domain patterns that were being used here,
 like the targetsname-cms.com or targetsname-helpdesk.com.
 So basically, that would be the company name, then just
 followed by helpdesk.com. That, of course, matches them
 impersonating help desks and such. So I was going over our
 data to see if we do find any names like this in yesterday's
 data. Realize, of course, that after this report was
 published, Scattered Spider likely learned about this and
 may have changed some of their patterns. So I took this also
 as an opportunity to show a little bit how to use our data
 here to find domain names like this. So we offer a recent
 domain feed. That domain feed does allow you to essentially
 look for domains registered on a certain date or really
 domains be found on that particular date. Sometimes,
 depending on how we find them, it's a little bit delayed. And
 in this case, well, I then basically was just searching
 for this particular pattern like helpdesk. And there are a
 couple interesting ones, like in particular this helpdesk
 -truist.com. You may not be that familiar with that brand,
 but Truist is a larger bank, at least here in the U.S. I'm
 not sure what their global sort of footprint looks like.
 Now, like I said, whenever an attacker uses a particular
 pattern, is being found out, they tend to change it. So my
 next step then was also to look at, hey, what other
 Truist-related names did we find? And there was this cdn
 -truist.com that was also registered yesterday. And that
 domain name, of course, does not match any of the patterns
 in the CISA reports. Could be because this was registered by
 a completely different group. Neither one of these domain
 names, helpdesk or CDN, is currently resolving to an IP
 address. So it's a little bit hard to figure out what they
 will ultimately be used for. But the lesson I want to get
 across here is always sort of pivot around. Don't take these
 advisories too literal when it comes to the indicates of
 compromise. They're a good start, but then always pivot
 around and try to find something new, like here that
 cdn-. And certainly one of the important Threat Intel sort of
 inputs that you should keep looking at is any new domain
 names registered with your particular brand. And
 Microsoft is moving ahead with further reducing the attack
 surface of Excel. Excel has a feature, if you have ever used
 Excel, to retrieve data from external documents. These
 links are consistently being updated in with the latest
 content from these external documents. Really sort of
 useful feature. But the problem is that, well, these
 external documents may have malicious content depending on
 the file type they are. Now, Microsoft has limited what you
 can do with some sort of known dangerous file types. But that
 is now also extending to these external links. So if you link
 to an external file type that Microsoft considers dangerous,
 this will stop working as soon as October. Microsoft, in its
 note here, does also provide some help as to how to figure
 out what file types are being blocked and how to disable the
 feature or adjust the file types if you wish to do so. So
 you have that option. This is really just more or less sort
 of a default setting that users can then relax if they
 hopefully know what they are doing. And looking for ways to
 simplify your malware analysis. Well, the Thorium
 platform, which is something that Sandia National Labs
 developed for CISA, is now public. And there is a GitHub
 repository where you can learn more about this particular
 tool. Essentially a set of Docker containers that can be
 used to feed malware to various tools. Supposed to be
 really simple and fast to use. Personally, I haven't had a
 chance to look at it yet. If anybody has used it, it would
 be interesting to hear what you think about it. And if
 this is a useful tool that improves your analysis. Well,
 and that's it for today. Thanks for listening. Thanks
 for liking and subscribing. Thanks for any feedback that
 you have regarding this podcast. And talk to you again
 on Monday. Bye.