SANS Stormcast Friday Mar 7th: Chrome vs Extensions; Kibana Update; PrePw0n3d Android TV Sticks; Identifying APTs (@sans_edu, Eric LeBlanc) - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary5 min read

SANS Stormcast — March 7, 2025

Main Theme & Purpose

This episode of the SANS Internet Stormcenter Daily Cyber Security Podcast, hosted by Johannes B. Ullrich, provides a concise but comprehensive roundup of pressing security topics: Chrome's crackdown on Manifest V2 extensions, a critical Kibana vulnerability, the latest in compromised Android TV devices, and an interview with SANS Edu student Eric LeBlanc on innovative methods for APT (Advanced Persistent Threat) detection in large environments. The episode blends actionable news with a deeper dive into emerging detection methodologies.

Key Discussion Points & Insights

1. Chrome Update & Extension Restrictions

[00:00–01:51] Google Chrome's latest update aggressively deactivates extensions using the older Manifest V2 API, notably impacting privacy and ad-blocking tools like uBlock Origin.
Key Insight:
- uBlock Origin is being automatically deactivated, and users are subtly encouraged to uninstall it.
- However, users can still reactivate these extensions — Google just doesn’t make it obvious.
- There's tension between Google's need for privacy/security improvements and its business reliance on advertising.
Notable Quote:
- "One of the suspicions here is that Google's reliance on advertisement revenue makes them more likely to actually prevent users from running these type of extensions in their browsers." — Johannes B. Ullrich [01:37]

2. Critical Kibana Vulnerability

[01:53–03:22]
Vulnerability: Prototype pollution flaw can allow arbitrary code execution in Kibana (Elasticsearch dashboard).
Exploitation Requirements:
- Attacker needs access as a "viewer," often a weakly protected or shared account.
- Urgent: Apply official update or temporary workaround (details in Kibana's advisory, link in show notes).
Key Insight:
- Public dashboards are often made available with lax or default credentials, significantly raising risk.

3. Pre-Pw0n3d Android TV Sticks

[03:22–03:47]
Issue: New waves of cheap Android TV devices are shipping pre-infected with adware and backdoors. Over one million compromised units have surfaced.
Advice:
- Consumers should buy TV sticks from reputable brands and avoid "no-name" bargain devices.
Notable Quote:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from." — Johannes B. Ullrich [03:22–03:25]

4. Interview: New Techniques for APT Detection (with Eric LeBlanc, US Strategic Petroleum Reserve)

Introduction & Overview

[03:47–05:15]
- Eric LeBlanc introduces his paper on “meta detection” for identifying APTs, leveraging extended observation windows and the MITRE ATT&CK framework.

What is Meta Detection?

[04:15–05:15]
- Meta detection reviews detections over longer periods — inspired by risk-based alerting, but anchored to tracking TTPs (tactics, techniques, procedures) used by specific threat actor groups (via MITRE ATT&CK).
- It hinges on knowing which APTs target your industry/environment and mapping their unique operational patterns.
Notable Quote:
- "It requires you to go through a good threat modeling process to know what actors might actually be targeting you as well as understanding their tradecraft..." — Eric LeBlanc [04:35]

Case Study: Tracking APT29

[05:23–07:34]
- LeBlanc chose APT29 (well-documented) for proof of concept.
- This approach surfaced lateral movement and admin tool usage weeks apart, which risk-based alerting often misses due to its need for tight thresholds.
- Connecting sequential behaviors gives stronger signals of intrusion versus isolated events.
- Notable Quote:
  - "Normal behavior doesn't strictly follow the known plan of an apt actor... it was easier to say, okay, well I see this execution activity. And then... weeks later... this host I saw execution activity on ended up attempting lateral movement..." — Eric LeBlanc [06:43]

Handling Massive Data Volumes

[07:34–10:27]
- Federal mandates (OMB memos) require long log retention (1 year hot, 18 months archived), facilitating large window correlation.
- Efficiently, only metadata from prior detections are queried — not raw logs — making lookups swift and practical.
- MITRE technique IDs and kill chain phase annotations aid actionable, high-fidelity queries.
Notable Quote:
- "We're not looking at all of the underlying log data, we're looking at the records generated from previously fired detections. So all of that data is pretty small and pretty easily searched through." — Eric LeBlanc [09:15]

Scalability, Delay, & Practical Experience

[10:28–12:41]
- Tested on 3–4,000 endpoints; about 1,200–1,300 users.
- Approach is scalable because it focuses on high-level detections, not raw data.
- Queries executed every 15 minutes, running in seconds.
- Could target only critical departments or enclaves in massive enterprises.

Implementation Advice and Cautions

[12:57–13:45]
- Success requires mature processes: active threat intelligence, high-quality detection engineering, and well-tuned alerts.
- “Don't be daunted... you need a whole lot of base level skills to make this work... you need to have very mature detection engineering... it is a journey.” — Eric LeBlanc [12:57]

Notable Quotes & Memorable Moments

On Chrome and uBlock Origin:
- "You don't actually have to remove it, you are able to reactivate it. For now, just Google doesn't make that very obvious." — Johannes B. Ullrich [01:17]
On Android TV Backdoors:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from..." — Johannes B. Ullrich [03:22–03:25]
On Meta Detection Approach:
- "[Meta detection] examines your detections over a longer period... tracking things using the MITRE, ATT and CK framework... trying to connect dots within your environment." — Eric LeBlanc [04:20–04:50]
On Real-World Implementation:
- "It's not unique to that specific tool, but it was one that we're using in our environment." — Eric LeBlanc [10:14]
Final Advice for Listeners:
- “You need a whole lot of base level skills to make this work... it is a journey so there's a lot of underlying assumptions there that are required and you the only way to get there is to actually do the work.” — Eric LeBlanc [12:57]

Timestamps for Important Segments

Chrome vs. Extension Battle: 00:00–01:51
Kibana Vulnerability: 01:53–03:22
Pre-Compromised Android TV Devices: 03:22–03:47
Interview with Eric LeBlanc (APT detection): 03:47–13:45

Episode Summary

This episode blends practical news with strategy advice: Chrome's ad blocker clampdown, Kibana’s urgent vulnerability, and another wave of compromised IoT devices serve as reminders of evolving cyber risks. The main feature, Eric LeBlanc’s interview, offers a high-level, actionable look at meta detection for APTs: using smarter, longer-term analysis powered by structured threat intelligence and detection engineering. If you want to know how mature organizations chase adversaries across months—and what it takes to implement those techniques—this brisk listen is essential.

Loading summary

Transcript34 lines

[00:00]
A
Hello and welcome to the Friday March 7, 2025 edition of the SANS and its storm centers Stormcast. My name is Johannes Ulrich and today I'm recording from Baltimore, Maryland. Well, we all know it's important to keep your browsers up to date. Last week Google did release a new update for Google Chrome. Unfortunately, they're sort of doubling down on getting rid of older extensions that are still using the version 2 of manifest. The problem here is that these older extensions had more privileges to interact with Chrome, which Google no longer wants to allow. However, there are also some beneficial extensions that took advantage of this access. One that's very vocal here is Uplock Origin. Uplock Origin now in this latest update is automatically being deactivated and then if a user is trying to manage their extensions well, they're kind of pushed in the direction of actually uninstalling and removing this extension. The problem is, well, you don't actually have to remove it, you are able to reactivate it. For now, just Google doesn't make that very obvious. This has been an ongoing battle between sort of UBlock origin and Google not 100% sure if UBlock origin could come up with other ways to do its work and block advertisements. Of course one of the suspicions here is that Google's reliance on advertisement revenue makes them more likely to actually prevent users from running these type of extensions in their browsers.
[01:51]
B
Let me have some critical updates to talk about.
[01:54]
A
First of all, Kibana Kibana of course is also part of our Honeypot Seam. It's the popular dashboard for elasticsearch and it suffers from a prototype pollution vulnerability that could allow arbitrary code execution in order to exploit the vulnerability and attacker would have to have access as viewer to the dashboard. Now this is of course a low privilege account usually and often provided without password or with well known password just to allow users to for example review a particular public dashboard. So updated. There's also a quick workaround that you can enable. I'll link to the advisory from Kibana in the show Notes Fired has a story, well that we have sadly seen before and that's Android web TV devices that are showing up with preinstalled backdoors. These are these commonly known sort of as TV stick devices, usually just a little HDMI plug that you plug into your tv, maybe some USB for a power supply. But yes, these devices come with adware and the like preinstalled and apparently just another batch has been found with about a million or so compromised devices. Not too much really you can do.
[03:22]
B
About this other than well Be careful.
[03:25]
A
Where you're buying these devices from and also probably not necessarily going to the cheapest device out there from any kind of no name supplier. Well, and it's Friday and I do have another sans Edu student to interview here. Eric, could you introduce yourself please?
[03:48]
C
Sure. My name is Eric LeBlanc, I'm a senior cybersecurity engineer at the US Strategic Petroleum Reserve. And my paper was on a new technique that I developed for attempting to detect advanced persistent threat actors within an environment.
[04:04]
B
Yeah, so advanced persistent threat actors, of course one thing they try to do to stay persistent is not to get detected. So what was the new technique that you came up with there?
[04:16]
C
So here I created a thing that I call meta detection. So it examines your detections over a longer period of time than you might traditionally look at for detections. It works similar to how risk based alerting works in that you're looking at things over time. However, specifically what I was looking at was tracking things using the MITRE, ATT and CK framework and specifically known TTPs that have been used by specific threat actor groups. So effectively trying to identify known ones that known actors that might be specifically looking for a given enterprise. So it requires you to go through a good threat modeling process to know what actors might actually be targeting you as well as understanding their tradecraft and what they're doing. But specifically it's looking at how they have acted in historic intrusions and trying to connect dots within your environment.
[05:15]
B
Okay, cool, so let's make a little bit more specific. What was one of the threat actors that you selected there?
[05:23]
C
Yeah, so specifically I was looking at apt 29 for the experiment that I conducted because they're fairly well known and well researched entity already and we had a very large history to pull from and look at for their potential techniques. And it was interesting in my experiments it showed as effective as risk based alerting, which was a bit of a surprise to me.
[05:48]
B
Yeah, and so what was like one of the indicators or TDPs that you sort of looked for here?
[05:55]
C
Yeah, so specifically we were looking at things that they'd done historically. So we were looking at some of the same lateral movement techniques that they were using, like via remote management or Windows administration tools, things like that. We were looking for all of these various sub techniques that they had done in the past, but we were looking to connect them within the environment over a history. So basically one of the problems we had found with risk based alerting is that you need to set that threshold because there's going to be some amount of noise. Administration tools look a lot like hacker tools many times. So basically a problem can be filtering the noise from what is normal behavior. One of the things that I found was that normal behavior doesn't strictly follow the known plan of an apt actor in many cases. So it was easier to say, okay, well I see this execution activity. And then I've later, weeks later, okay, well then this host I saw execution activity on ended up attempting lateral movement or, or attempted to do reconnaissance or something like that by unknown method. So like say it was they were doing SMB enumeration or they were doing something more specific that is not routinely done within the environment and linking those things together through a series of detections that are looking at historical data from within the environment.
[07:35]
B
Yeah, so basically not them exploiting it or doing lateral movement right away, but waiting then for this. And yeah, that's certainly something that APD sometimes tends to do sort of as they sort of figure out what they have and don't have. The one challenge that I can sort of think of, the alarm bell that sort of goes off right away is how to deal with all the data.
[07:56]
A
Over that amount of time.
[07:59]
C
So in this instance, I am both gifted and cursed by working in a federal environment. So one of the big OMB memos that came out in recent years involved logging and log retention periods. So by OMB rule, we have to maintain minimum one year of logs in hot storage so that we have to have that available to look over as well as an additional 18 months in archive storage. So at any given time within the environment that I was testing in, we have a whole year of logs to look at. So it's very pricey. It's a luxury that not a lot of entities have. However, per regulatory orders, we have to have that. So within federal governments at least, you're going to have those locks.
[08:48]
A
Yeah. And also the ability to search then.
[08:51]
B
Because that's the other cost factor here. Storage is cheap to some extent, but fast storage that you can actually search with queries like this. Were you able to do some sort of pre filtering or such to speed that up or any sort of data management procedures that helped here?
[09:12]
C
Sure. So in this case we were querying across the previous detection specifically. So we're not looking at all of the underlying log data, we're looking at the records generated from previously fired detections. So all of that data is pretty small and pretty easily searched through. Specifically we were annotating within the detection field saying okay, using MITRE technique IDs or. And also the kill chain phase that a given detection corresponds to. So from there you can say show me all of the detections that fired with actions on objectives as the kill chain phase. And it would then filter out based on whatever your query was, whether you were looking at an individual host, you were looking at the whole environment, things like that. So in this case specifically, I was working within Splunk Enterprise Security. You can do the same thing with other siems as well. I know Soft Elk, you can have annotations for your detections. And yeah, it's not unique to that specific tool, but it was one that we're using in our environment.
[10:28]
A
Yeah.
[10:28]
B
Give us a little bit an idea of the scalability and practicality of this. Can you say approximately, like how many logs or how many endpoints are such you. You're monitoring?
[10:41]
C
Yeah. So for this environment we were looking at approximately, I think it was around 3 to 4,000 endpoints total between end user devices, networking equipment, servers, all that. So it's not a small environment, but I would say it. I think our total number of users is around 12 to 1300 end users. So not a small business for sure. But it's not necessarily the size of some worldwide enterprises. But in theory the logic should scale because you're looking at previously detected events, so you're not having to pour through terabytes of actual log files. You're really only looking at previous detections. So what might be considered either an event of interest or you know, choose your, your favorite vocabulary for that. But yeah, so you're only looking at sort of the summarized events and what.
[11:45]
B
Sort of detection delay then like, no, basically after the event happened, how long would it take you like you run these queries daily, hourly or.
[11:53]
C
Yeah, so I was running these queries and at the, as part of the experiment I was running them every 15 minutes. So they run very quickly. It only took I think maybe a couple seconds for the actual query to run through. So I was doing them periodically. Over a large enterprise, you may want to scale that up some. It depends on the sensitivity that you're looking for. But because you're going over summarized data, it's much faster.
[12:23]
A
Yeah.
[12:23]
B
And I guess in a large enterprise you would also not run it necessarily over the entire enterprise, but some department, some critical enclave or something like that.
[12:31]
C
Yeah, something that you've identified as part of your crown jewels analysis or something like that.
[12:37]
A
Yeah.
[12:38]
B
So that's really cool you're using this.
[12:39]
A
Right now in your day to day job.
[12:41]
C
Yes.
[12:42]
A
Yeah.
[12:42]
B
So great. The link to the paper will be added to the show notes so if anybody's interested in any more details here and how this all exactly worked any final words Eric anything to give people on their way to implement this sure.
[12:58]
C
So don't be daunted by how much it goes like how much needs to be done beforehand because this really isn't something that I would expect to work early on in the maturity process for an environment you need a whole lot of base level skills to make this work you need have an active threat intelligence practice both consuming and producing you need to have very mature detection engineering that you know that these individual detections that are firing have good fidelity and have already been tuned well it it takes a lot and it is a journey so there's a lot of underlying assumptions there that are required and you the only way to get there is to actually do the work yeah Creighton.
[13:46]
B
Thanks for being here thanks for everybody listening and talk to you again on Monday bye.