Podcast Detail

SANS Stormcast Monday, June 29th, 2026: Automated Cybercrime; Linux Process Names; Amazon Q VS Code

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9986.mp3

previous
Podcast Logo
Automated Cybercrime; Linux Process Names; Amazon Q VS Code
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Monday June 29th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich recording today from Riyadh, Saudi
 Arabia. And this episode is brought to you by the SANS.edu
 Bachelor's Degree Program in Applied Cybersecurity. Well,
 in diaries today we actually have yet another diary by one
 of our Bachelor's Degree students. I just mentioned the
 Bachelor's Degree we offer as part of our SANS.edu college.
 As part of the internship here we have Nicole Phillips
 looking at some of the background noise that you are
 seeing in honeypots. And of course that background noise
 can quickly be overwhelming, in particular since much of
 that background noise really doesn't appear to be relevant
 as far as current exploits go. The vulnerabilities being
 exploited are often decades old and well in many cases
 actually the exploits being used are not even functional.
 But what Nicole here is pointing out that even though
 there is a lot of garbage essentially being sent at the
 honeypot there are also some newer threats that are very
 relevant and are easily drowned by all the noise that
 the honeypot receives. And well, just like in a real
 system you're protecting, so not a honeypot, it can be
 quite difficult sometimes to isolate this relevant activity
 from all the background noise because overall the requests
 and patterns often look very similar. So what you're seeing
 here is a little bit of breakdown in this diary of
 different attacks being seen, what the exploits are that are
 being exploited and well some of the newer threats and one
 here being RondoBot that's something that I've mentioned
 a few times in the past that very aggressively as Nicole
 points out picks out newer vulnerabilities and adds them
 to the repertoire of scans against vulnerable systems
 that are covering the internet very quickly and sometimes
 several times a day. And then we have a second diary from
 late last week and that's by Xavier about how to manipulate
 the process name that's being reported in Linux. Now there
 are really two locations the process name is kept in the
 proc directory for the respective process one is com
 c-o-m-m well that's just the process name that's easy to
 manipulate there is like prctl and such that can be used to
 manipulate the process name in this file. The second one is
 the command line file and that's a little bit more
 tricky because it doesn't just contain the process name but
 it also contains any arguments being passed to the process on
 the command line. Well so in order to manipulate this as
 Xavier points out you need to zero out all of these
 arguments and then override it with your new process name and
 Xavier presents a little c proof of concept to show how
 this can be accomplished. It's overall not that terribly
 difficult but then well Xavier also goes into some of the
 techniques that can be used to discover this kind of
 manipulation. So interesting kind of cat and mouse kind of
 attack and defend diary by Xavier. And this wrote up an
 interesting vulnerability in Amazon Q, Amazon's AI
 assistance and well how it interacts with Visual Studio
 Code. It's really one of the reasons I mentioned this is
 not because now Q is very popular and things like the
 truth it is but because this type of vulnerability has
 become really sort of a very standard type of vulnerability
 affecting many similar programs, assistance and well
 really sort of extensions in Visual Studio Code. The main
 problem here is that these kind of extensions are often
 automatically executing code as a new repository is being
 cloned. And that's exactly what's happening here. It will
 read the respective configuration files and then
 without warning the user execute code that you
 basically just retrieved via a simple git poll. What the
 lesson here is really is first of all of course be careful
 with these extensions that you're installing. But again
 this was not a malicious extension. This was really
 just maybe a little bit sloppy coded extension. The biggest
 problem here is that you must be aware if you are cloning
 code if you are opening that repository in a modern
 development environment like Visual Studio Code. Extensions
 may execute arbitrary code based on configuration files
 found inside that repository. So it really comes down to as
 a developer that you have to be somewhat careful what you
 are actually cloning and what you're loading into your
 repository. So it's a developer that you have to be
 able to do in your development environment and then be aware
 of any constraints that you may impose that will prevent
 these kind of auto executions of code and hopefully they'll
 be implemented properly. And that's sort of a problem here
 that Q didn't implement these constraints quite correctly.
 Well and this is it for today. So thanks for listening.
 Thanks for liking. Thanks for recommending this podcast. And
 as always I'll talk to you again tomorrow. On the other
 hand there will probably be no podcast on Friday because of
 the July 4th holiday. Thanks and talk to you again
 tomorrow. Bye.