Podcast Detail

SANS Stormcast Thursday, March 5th, 2026: XWorm Analysis; Cisco “Secure” Firewall Managmeent Center; LastPass Phishing

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9836.mp3

previous
Podcast Logo
XWorm Analysis; Cisco “Secure” Firewall Managmeent Center; LastPass Phishing
00:00

Podcast Transcript

 Hello and welcome to the Thursday, March 5th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operations. Xavier today is asking, do you want more
 Exworm? Because that's the sample that Xavier is looking
 at today, including the infection chain that actually
 gets you to the actual Exworm sample. Exworm remains one of
 the favorite payloads deployed by the miscreants out there.
 Starts in this case with a simple phishing email that
 has, well, yet again, a 7-zip attachment. That unzips then
 to JavaScript. And we have seen this now for so many
 years, this sort of compressed JavaScript thing. Not sure why
 filters or so don't really catch on to this yet. Then it
 becomes PowerShell and then it actually injects itself into
 the .NET compiler. Compiler that's sort of where it loads
 the DLL until it loads the actual Exworm payload. So a
 somewhat convoluted infection chain here. Xavier walks you
 through the reverse analysis of this particular sample. How
 to get from the JavaScript, which actually Xavier just
 executes in the sandbox, all the way to the Exworm payload.
 And another problem that has been haunting us for years now
 is malicious search engine optimization. Where attackers
 are either outright buying ads in search engines, or they are
 placing content around the internet that in all points to
 malicious content. If a particular user is searching
 for a popular term. Well, this is now happening also with
 some of the AI search engines. Many search engines, Google,
 Bing, Yahoo, they all now have these AI search engines. And
 you probably have all seen them where you search for
 something and at the top of the page, you'll get sort of
 that little AI blurb trying to summarize or point you to
 particular features, results about the search that you
 entered. Well, it turns out that Bing did redirect users
 to a malicious OpenClaw installer. This happened early
 February. So if a couple of weeks ago you searched for
 Windows OpenClaw installer, I think was the exact search
 term here. But probably other search terms worked as well.
 You were directed to a GitHub page that then download, made
 you download and install this malicious installer.
 And information stealers were included according to a blog
 post posted by Huntress. This is not really all that
 surprising because essentially, you know, AI
 tools are now sort of replacing some of the more
 traditional search engines. But these AI tools pretty much
 do the same thing that, you know, your traditional search
 engines did. They spidered the web. They tried to figure out
 based on number of links and other sort of relevancy
 scoring whether or not a particular link or snippet or
 content is relevant to the question that you asked. And
 well, attackers are able to poison that just like they
 were able to poison traditional search results.
 Plus, of course, many of the search engines have not yet
 quite put the same sort of filters and such in place for
 their AI results as they have already in place for some of
 the traditional search results. And Cisco today
 released numerous patches for many of its products. Now,
 there's one product and two vulnerabilities that really
 stands out here, and that's the Secure Firewall Management
 Center, which suffers from two vulnerabilities that both
 scored a perfect 10 on the CVSS scale. The first
 vulnerability is an authentication bypass of
 vulnerability. It does allow an unauthenticated user to run
 scripts as root. So completely compromise the secure firewall
 management center. The second vulnerability that's also
 affecting here the secure firewall management center is
 remote code execution vulnerability. Sounds in sort
 of total impact, very similar to the first one. But this one
 is restricted to actually executing Java. So if you
 don't like Java, well, Cisco is forthcoming enough here to
 allow the secure firewall management center to also be
 exploited with other scripting languages using the first
 vulnerability. Neither of these vulnerabilities is yet
 exploited. So still get it patched. Probably not all that
 terrible difficult to actually exploit these vulnerabilities
 once the patch has been reversed. Well, back in
 January, LastPass was the subject of some fairly
 aggressive and better phishing campaigns. They have done some
 takedown then. And well, imagine that. They took down
 some phishing websites. Others have sprung up. I don't want
 to really go too much into phishing part here. But I
 think what's really important here, and I think I mentioned
 this also yesterday, is the concept of phishing-resistant
 authentication. If something critical like your password
 manager can be taken over by stealing credentials from you,
 like a username, like a password, like a one-time
 password that you may enter in a website, well, then you have
 a problem and you're probably using the wrong product. So
 don't rely on any password managers that don't themselves
 use phishing-resistant authentication. It's tricky to
 do this right with password managers. But whenever the
 user is in charge of entering credentials into a particular
 website, you probably have a problem. In particular, if
 these are credentials that the user knows. Some password
 managers, for example, use these long random strings that
 you don't really ever have to use unless you sort of set up
 a new client for that password manager. So you can lock them
 away, which sort of protects them better. That's probably
 sort of one way to protect your password managers a bit
 better. Or things like hardware authenticators or
 such that can be used that cannot be easily copied, like
 a one-time password that you're getting from an app.
 Well, and that's it for today. Sorry for missing the outro
 here. Yesterday, somehow forgot to, I think, splice it
 on to the audio file. But anyway, thanks for listening.
 Thanks for actually also telling me about any errors or
 such. I still sort of know we'll send you a sticker if
 you find anything wrong with any of the podcasts. And then
 again, talk to you again tomorrow. Bye.