SANS Stormcast Monday, October 27th, 2025: Bilingual Phishing; Kaitai Struct WebIDE

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9672.mp3

previous

Bilingual Phishing; Kaitai Struct WebIDE

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, October 27th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in Purple
 Team Operations. Got two diaries this weekend. And
 first one from Guy, Guy being French Canadian, so his first
 language is French. He's actually seeing quite a few
 phishing emails coming in in French and then identical
 emails pretty much coming in in English. This is something
 that I've always a little bit wondered about, how much of
 the language of these phishing emails is targeted to the
 recipients. Of course, in particular in Canada, it's a
 little bit hard to tell if a particular person speaks
 French doesn't speak French. But interesting that
 essentially the same email is being used for French as well
 as English. And well, I guess attackers are trying to appeal
 them more to speakers of French because they are often
 more used. I noticed from Germany as well that the
 majority of phishing emails is in English. So whenever there
 is one in a person's native language, if that's not
 English, that, of course, has a somewhat higher chance of
 success. And then we have a second diary this weekend from
 Didier. Didier attended recently the Hack.lu
 conference. And at the conference, he saw an
 interesting presentation from developers of Kyti Struct.
 This is a tool that is being used to analyze malware often.
 It basically allows you to analyze various binary
 formats. Well, they now have a web IDE available that
 essentially implements everything in JavaScript. It
 allows you, without having to install any specific tool, to
 simply just run this Kyti Struct tool. Looks pretty
 neat. And I think particularly for someone who is just
 occasionally doing some malware analysis, probably a
 real nice tool to have. Feels a little bit like CyberChef,
 but of course, more with the focus on binary analysis,
 while CyberChef is really just sort of for file conversion
 and the like. So there is some overlap between these tools.
 But for reverse analysis, definitely take a look at Kyti
 Struct, the web IDE. And on Friday, I mentioned the new
 vulnerability in the Windows Server update service or WSUS.
 And this vulnerability is now, first of all, being exploited
 in the wild. Huntress published some data about
 that. Secondly, Microsoft on Friday did release a patch for
 this vulnerability for versions of Windows Server
 going back to 2019. So even Windows Server 2019 did get an
 update here for this. Microsoft also published an
 advisory going with this update with additional details
 about this vulnerability. The big takeaway here is, number
 one, it's being exploited actively. It does not require
 authentication. It does allow for arbitrary code execution
 on your update server. And with that, it also then allows
 the compromised update server to, of course, push malicious
 updates to any client that does pull updates from this
 update server. So it's not just affecting this update
 server. It's affecting the entire network that is using
 this particular update server and trusting this update
 server for updates. So that's really the big issue here.
 Most of these update servers are hopefully not exposed to
 the Internet. But definitely, this is a high priority patch
 that you must install today, if at all possible. And then
 CSO Online has a good article that summarizes something that
 I have been ranting about in the past a few times.
 Actually, I think I mentioned it at one of the RSA keynotes.
 Couldn't find it anymore. So probably old enough, long
 enough ago where Google sort of lost it. But the problem
 here is that we see more and more attacks that actually
 exploit vulnerabilities in network security devices that,
 well, are, as the title of the article says, 90s area flaws.
 So very easy, exploitable vulnerabilities that are being
 taken advantage of in devices that are supposed to actually
 make us more secure. One statistic that I think comes
 from MITRE here that's quoted in this article that I think
 particularly tells the story is that about a third of
 attacks are starting out. So the initial entry point now is
 an attack against a network secure device. Only half of
 that, like 16%, I think it was, is phishing. And we spent
 a lot of effort on preventing and fighting phishing.
 Probably still a good thing. And maybe the fight actually
 made it that it's no longer of your number one problem. But
 really discouraging that these expensive enterprise security
 devices are really opening us up to more problems than they
 may fix in some cases. Definitely something to pay
 attention to. And yes, as always, keep those devices
 patched. I think every week we have a new vulnerability here.
 The article also lists like some Saturday vulnerabilities
 that have been exploited in these devices in the last two
 years. Well, and that's it for today. So thanks again for
 listening. And thanks for recommending it. Thanks also
 to everybody who attended my talk in Augusta on Saturday.
 If it will be available online, I'm not sure. I'll
 definitely note and link to it. And yeah, it's always good
 to run into people that reach out and let me know that
 they're listening. Because sitting here in my office and
 just talking to the camera and my dog, maybe a cat sitting on
 the desk here. Well, we wonder sometimes whether or not
 anybody's actually listening. So thanks and talk to you
 again tomorrow. Bye.