SANS Stormcast - Friday, Feb 28, 2025

Main Theme

This episode of the SANS Internet StormCenter's Stormcast, hosted by Johannes B. Ullrich, delivers a concise rundown of current network security developments. The key topics include the abuse of Microsoft's dev tunnels by NJrat malware, vulnerabilities in Apple's Find My network, ongoing cross-site scripting attacks exploiting virtual tour software, and a student research spotlight on using EDR to combat ransomware in small businesses.

Key Discussion Points & Insights

1. NJrat Malware Using Microsoft Dev Tunnels

• Summary:
  • NJrat's new variant is leveraging Microsoft dev tunnels, a legitimate feature meant for developers to test web services, for malicious data exfiltration.
  • These dev tunnels can become an avenue for "living off the cloud" attacks, as they often bypass standard detection.
• Red Flag:
  • Network defenders should hunt for activity involving the devtunnels.ms domain — unless actively developing, this traffic is highly suspicious.
• Quote:
  • "Unless you are actually actively developing software using dev tunnels, you probably shouldn't see that domain in your network which makes a pretty good indicator of compromise here." — Johannes B. Ullrich [01:12]

2. Apple Find My Network (FindMe) Key Pair Abuse

• Summary:
  • Researchers from George Mason University demonstrated it's relatively easy to generate valid key pairs for Apple’s “Find My” (FindMe) network, using commodity cloud resources (~$5 with Nvidia H100 GPU).
  • Malicious actors could exploit this to covertly geolocate compromised devices using Apple's crowdsourced network.
  • Apple’s iOS 18.2 patch tries to address this by enhancing key validation—but legacy devices remain a risk.
• Quote:
  • "They reckon that's about $5 worth of computing time effort in the cloud... And the advertisement of a lost device is now being relayed by Apple devices for the MiFi network and allows the geographic location tracking of the compromised device." — Johannes B. Ullrich [02:38]

3. Cross-Site Scripting in 360° Virtual Tours

• Summary:
  • Persistent XSS vulnerabilities discovered in Krapano, a library used for 360-degree virtual tours on realtor and similar sites.
  • These flaws are currently exploited for porn spam, but could lead to more malicious campaigns targeting real estate platforms.
  • The attack's persistent nature means malicious JavaScript stays embedded until remediation.
• Quote:
  • "So nothing too malicious yet, but given that this is often used sort of on Realtor websites or as such, it could also be used for more malicious purposes." — Johannes B. Ullrich [04:25]

4. EDR vs. Ransomware: Student Research Spotlight with Ben Powell

Introduction [05:01]

• Ben Powell introduces himself as a Principal Security Engineer with 15 years’ experience in incident response, the military, and private sector.

Paper Focus [05:34]

• Ben’s research analyzes how small to mid-sized businesses (SMBs) can leverage EDR solutions—specifically Microsoft Defender for Business and the open-source Wazuh—to better prepare for ransomware threats.

EDR Solutions Compared [06:40 – 08:14]

• Microsoft Defender for Business:
  • Tailored for organizations with ≤300 users.
  • Agent collects threat logs, analyzed via a cloud console.
  • "Plug and play" usability—a strong pro for small teams.
• Wazuh (open-source integrated XDR/SIEM):
  • Requires a local server to index and centrally manage event logs from endpoints.
  • Allows custom searches and correlation rules for broader context—favors technical staff.
  • Potential downsides: added setup complexity and local log storage risks.

Notable Quotes:

• "My thought there was this would kind of definitely hit that small business environment. Not everyone needs a full blown Microsoft 365 license." — Ben Powell [06:56]

Detection, Customization & Alert Fatigue [09:33 – 11:36]

• Customization:
  • Defender for Business offers limited, non-customizable detection; users rely on Microsoft’s rules.
  • Wazuh enables YARA rule implementation—more control, but requires expertise for maintenance and accuracy.
• Alert Fatigue:
  • False positives are a common challenge; inability to modify detection logic in Defender leads to “ignore everything” risks.
• Practical Example:
  • "In Microsoft [Defender] I basically just get to ignore it. Which then of course leads to the sort of alert fatigue issue where I may be ignoring stuff that I should not have ignored." — Johannes B. Ullrich [11:12]

Blocking vs. Alerting [12:10]

• Wazuh generally only alerts, doesn't block attacks by default.
• Defender offers some built-in blocking, crucial for shops without a dedicated security team.

Notable Quotes:

• "With Wazuh you do need a good bit more technical expertise to get the rules created, to get the rules written and deployed correctly." — Ben Powell [12:43]
• "With lots of flexibility comes lots of responsibility in getting it right." — Johannes B. Ullrich [13:14]

Conclusion of Research & Tools [13:41 – 14:19]

• Ben currently uses SentinelOne in his day job (not evaluated in this research).
• Recommends Atomic Red Team toolkit for adversary emulation and validation of detection efficacy.
• Encourages defenders to regularly simulate attacks and tune controls:
  • "We can definitely make significant strides towards blocking out very common ransomware, even with very common threat actor tactics through using tools like this." — Ben Powell [14:19]

Notable Quotes and Memorable Moments

• "Dev tunnels are meant for developers to help test web services. But of course, they can also be used to relay other traffic like in this case the exfiltration of credentials."
  — Johannes B. Ullrich [01:00]

• "So, with lots of flexibility comes lots of responsibility in getting it right as the usual issue."
  — Johannes B. Ullrich [13:14]

• "Having an internal team or having someone who is familiar with [Atomic Red Team], it's very simple to deploy and create some of these activities."
  — Ben Powell [14:03]

Timeline Reference

| Timestamp | Segment | |------------|------------------------------------------------------------| | 00:01 | Intro, NJrat & devtunnels.ms abuse | | 01:12 | Indicator of compromise: devtunnels.ms | | 02:10 | Apple Find My key-pair abuse explained | | 03:20 | Apple iOS 18.2 patch; legacy device exposure | | 04:07 | Cross-site scripting in Krapano virtual tours | | 05:01 | Guest segment: Ben Powell introduction | | 06:40 | EDR solutions for SMBs overview | | 09:33 | Comparisons: Logging, context, and custom rules | | 11:36 | Alert fatigue, false positives, managing rule sets | | 12:10 | Blocking and alerting differences between EDR products | | 13:14 | Flexibility vs. responsibility in EDR management | | 13:41 | Ben’s day job, research summary, use of Atomic Red Team | | 14:19 | Closing |

Overall Tone

Informative, practical, and concise—rooted in real-world incident response. Both Johannes and Ben favor actionable insights over hype, and the episode maintains a conversational, accessible tone even when discussing technical nuances.

Final Thoughts

This episode spotlights the dual reality of security tools: the more customizable and powerful, the higher the maintenance responsibilities and the risk of misconfiguration. The discussion on evolving malware and cloud service abuse, alongside pragmatic EDR evaluations, offers practical intelligence for defenders, especially in SMB and resource-limited environments. The episode closes by underscoring the need for ongoing adversarial testing and security validation, regardless of toolset.