SANS Stormcast Friday Feb 28th: Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware

A

Hello and welcome to the Friday February 28, 2025 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. Xavier today published a quick diary with a new version of the NJRAD malware that he found. And well, NJRAT in this example is taking advantage of Microsoft dev tunnels. This is activity that may go unnoticed because is a legitimate service. Sometimes it's of described living off the cloud attacks. But essentially dev tunnels are meant for developers to help test web services. But of course they can also be used to relay other traffic like in this case the exfiltration of credentials. The domain to look for here is Devtunnels MS, Ms. for sort of Microsoft. This particular domain is exclusively used for these dev tunnels. And well, they're called dev tunnels because they're used for development, not necessarily for production software. So unless you are actually actively developing software using dev tunnels, you probably shouldn't see that Domainia network which makes a pretty good indicator of compromise here. Something to go hunting for. And researchers at George Mason University came up with an interesting method to subvert the Apple MyFind Network. This is the network that being used to track airtags and other Apple devices. In order for a device to be tracked it needs a valid public private key pair. The public key is then being used to essentially send the lost message that's then being received and relayed by various Apple devices that are capable of participating in this MiFind network. The problem that these researchers have discovered is that it's actually not that difficult to come up with a valid key pair. So Trojan could infect a random computer that's capable of participating in Bluetooth low energy, which of course pretty much any mobile device is these days. Definitely desktops and such usually have some kind of Bluetooth capability. And then they have to create valid key pair for the device, which they figured out can be done with reasonable effort. They used one of these higher end Nvidia cards, I believe the H100 card. But they reckon that's about $5 worth of computing time effort if you do it in the cloud, for example, to come up with a valid key pair. And that advertisement of a lost device is now being relayed by Apple devices for the MiFi network and allows the geographic location tracking the compromised device. Apple has released a patch in the latest version of iOS in 18.2 to prevent relaying these messages. Basically added some additional validation of the keys to make them more difficult to spoof. Of course, as long as there are still old devices out there, they will relay these messages and the exploit would still work. Well, yesterday I talked about the injection of malicious JavaScript that led to this large cryptocurrency theft. Today, little bit something similar cross site scripting being used in order to inject malicious JavaScript into websites that are using these 360 degree virtual tours. Cross site scripting vulnerability is basically being used here to persistently inject that JavaScript. All like Zaitsev did come up with details behind this attack. Currently it's I guess luckily just being used to advertise porn websites. So nothing too malicious yet. But given that this often used sort of on Realtor websites or as such it could also be used for more malicious purposes. Like I see a lot of sort of bismill compromise attacks and such against Realtors Realtor websites. So there's certainly room to grow here for this particular attack. And the particular library that's vulnerable here is called Krapano. And again it's being used for these 360 virtual tours. Well, and it's Friday again, so we do have another sans edu student here to talk about their research paper. Ben, could you introduce yourself please?

B

Hi there, my name is Ben Powell, I'm a senior, excuse me, a principal security engineer and I've been in cyber about 15 years at this point. Started worked my way up through the military and then separated to do some contracting and then now working in the private sector.

A

Yeah. And your paper I think was about, well, one of the hot topics that probably many are worried about and that's kind of ransomware and how to defend against that. Can you explain a little bit what aspect of ransomware, that big topic you covered?

B

Yes. So I, working as an incident responder, have seen quite a bit of ransomware and am often surprised at how payloads are executed and how ransomware lands on the systems. And so I was curious, with some penetration testing experience also, how can we as network defenders do a better job of preparing ourselves for sort of the inevitable. You and I both know it's not going to go anywhere as long as companies are paying the ransom, it's just going to continue to be present.

A

Yeah, I always figure ransomware, they figured out it's actually more valuable to steal the data than to delete it or sell it to someone else. You're the only one who really wants those baby pictures for software. But yeah, so you, of course you're looking at corporate environments, not necessarily at people's personal pictures and you looked at different EDR options. What were these EDR Endpoint detection response options.

B

So really I kind of targeted my research around small businesses, maybe teams that don't necessarily have a large security staff. And I was interested in kind of a name brand product. So I shot for Microsoft Defender. And within the Microsoft Defender world there's a boatload but specifically focused on Microsoft Defender for Endpoint and excuse me, Microsoft Defender for Business because that one was focused with companies that had 300 people or less. So my thought there was this would kind of definitely hit that small business environment. Not everyone needs a full blown Microsoft 365 license. And the second option I looked at was with Zoom open source. I'll call it a integrated product. It provides XDR as well as a sim. So there's almost an auto ingestion portion where you don't necessarily manage the. You don't look at the data like you would in Defender. You look at it much more from like a splunk or elastic perspective with the ability to create custom searches and look at basically all of the event logs off of the machine rather than the Microsoft Defender side where you're only kind of looking at those threat logs.

A

And I've used both of these products, I think they are both valid. Like I said, they really hit that small medium business market, both of them. What were some of the big differences you found when looking at these products?

B

Well, I'll start with Wazoo first. The, the big difference is right there is having the ingestion. So you have, you deploy the agent. The agent then calls back to the index or the indexer is going to correlate, not, excuse me, not correlate, index all of the logs for you to create a common language of all of the, the file types and log data values. And then from there you actually search against that rather than the Microsoft side where you deploy the agent and it's looking at those logs locally and calling out to the cloud based console. So with Wizoo you needed an additional internal device. So having that server locally, which I will say have seen fairly recently, some issues where companies or clients don't necessarily have that integrated logging, the centralized logging or cloud based logging and keeping all of the logs local is not recommended in today's day and age.

A

Yeah, I know it's a common issue. The advantage of course of having all those logs is that you have additional context in case something happens in Microsoft Defender. Do you get some of that context from Microsoft or is it really more so of that red cling green light bulb thing?

B

You get a good bit of Data from Microsoft, they'll go ahead. Microsoft will categorize threats. One of the big differences was the rule technology or the rule creation. With Microsoft Defender for business, you were unable to create any customized detection, so you were really kind of left with what Microsoft deemed to be threats. With Wazoo on the other hand, you had the ability to write your own Yara rules. And taking those Yara rules and deploying them creates a lot more detections that you can get out of that system while also being somewhat a bit more manual, needing to find a rule set, needing to make sure it's updated and doing kind of the maintenance on that. Whereas Microsoft made it a lot more just plug and play if you will.

A

Yeah, and I think that customization part is really something just from my own experience, you know, running Microsoft Defender, the transcript for the podcast often triggers like the suspicious file rule. Kind of not sure why, but maybe talking about malware or such will cause that Wazoo similar it has. I forgot which it was. There was one common Linux binary that last year I ran into that Vasu for whatever reason considered malicious and it was a well known false positive. Now in Basu I can go in and change the rule and make it stop alert on this. In Microsoft I basically just get to ignore it. Which then of course leads to the sort of alert fatigue issue where I may be ignoring stuff that I should not have ignored.

B

Yes, it's definitely a big problem with that side. And I think back to what you pointed out. It was interesting because even just on my base installation of Windows importing the tool I used for these detections, Atomic Red Team, to create some of that activity, Microsoft Defender immediately started throwing flags just upon the installation. Whereas Wazoo on the other hand, you needed to go in and specifically tell it to detect on this activity and detect on this file type.

A

Yeah, I think Vazoo in general is not that great in sort of that real time detection as stuff is being uploaded on the system that doesn't seem to be a good component on it. But yeah. Now as far as blocking, did Vasu do any blocking or did it just do alerting?

B

I did not get any blocking out of it. I did just alerting. Focusing on really kind of a default installation if you will. Back to the scenario of this being a very small shop, maybe not without a security team. So having kind of the built in detections from the Microsoft Defender side was really a big pro if I was looking at the two solutions. With Wazoo you do need a good bit more technical expertise to get the rules created to get the rules written and deployed correctly. One slight mishap in the logic. If you add a quote or a comma in the wrong place, then you definitely would not detect on which you're wanting to.

A

So with lots of flexibility comes lots of responsibility in getting it right as the usual issue. Yeah. Great. So the paper is in the. Is it already in the reading room? It's already uploaded.

B

Yes, it is in the reading room and uploaded.

A

Okay, good. So I'll add the link to the show notes. Any final words? Kind of. Are you using Vasu or Microsoft Defender? Can you say what you're using right now in your day job or are you using both?

B

And in the day job we're using Sentinel One. So it's something. Yeah, totally different, definitely. But I would like to leave everybody with the Atomic Red Team was the tool I use to test the detections. So having an internal team or having someone who is familiar with that, it's very simple to deploy and create some of these activities. So as security defenders, we can definitely make significant strides towards blocking out very common ransomware, even with very common threat actor tactics through using tools like this.

A

Excellent. Yeah, thanks for joining me here. And thanks everybody for listening.