SANS Stormcast Friday Mar 7th: Chrome vs Extensions; Kibana Update; PrePw0n3d Android TV Sticks; Identifying APTs (@sans_edu, Eric LeBlanc)

SANS Stormcast — March 7, 2025

Main Theme & Purpose

This episode of the SANS Internet Stormcenter Daily Cyber Security Podcast, hosted by Johannes B. Ullrich, provides a concise but comprehensive roundup of pressing security topics: Chrome's crackdown on Manifest V2 extensions, a critical Kibana vulnerability, the latest in compromised Android TV devices, and an interview with SANS Edu student Eric LeBlanc on innovative methods for APT (Advanced Persistent Threat) detection in large environments. The episode blends actionable news with a deeper dive into emerging detection methodologies.

Key Discussion Points & Insights

1. Chrome Update & Extension Restrictions

[00:00–01:51] Google Chrome's latest update aggressively deactivates extensions using the older Manifest V2 API, notably impacting privacy and ad-blocking tools like uBlock Origin.
Key Insight:
- uBlock Origin is being automatically deactivated, and users are subtly encouraged to uninstall it.
- However, users can still reactivate these extensions — Google just doesn’t make it obvious.
- There's tension between Google's need for privacy/security improvements and its business reliance on advertising.
Notable Quote:
- "One of the suspicions here is that Google's reliance on advertisement revenue makes them more likely to actually prevent users from running these type of extensions in their browsers." — Johannes B. Ullrich [01:37]

2. Critical Kibana Vulnerability

[01:53–03:22]
Vulnerability: Prototype pollution flaw can allow arbitrary code execution in Kibana (Elasticsearch dashboard).
Exploitation Requirements:
- Attacker needs access as a "viewer," often a weakly protected or shared account.
- Urgent: Apply official update or temporary workaround (details in Kibana's advisory, link in show notes).
Key Insight:
- Public dashboards are often made available with lax or default credentials, significantly raising risk.

3. Pre-Pw0n3d Android TV Sticks

[03:22–03:47]
Issue: New waves of cheap Android TV devices are shipping pre-infected with adware and backdoors. Over one million compromised units have surfaced.
Advice:
- Consumers should buy TV sticks from reputable brands and avoid "no-name" bargain devices.
Notable Quote:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from." — Johannes B. Ullrich [03:22–03:25]

4. Interview: New Techniques for APT Detection (with Eric LeBlanc, US Strategic Petroleum Reserve)

Introduction & Overview

[03:47–05:15]
- Eric LeBlanc introduces his paper on “meta detection” for identifying APTs, leveraging extended observation windows and the MITRE ATT&CK framework.

What is Meta Detection?

[04:15–05:15]
- Meta detection reviews detections over longer periods — inspired by risk-based alerting, but anchored to tracking TTPs (tactics, techniques, procedures) used by specific threat actor groups (via MITRE ATT&CK).
- It hinges on knowing which APTs target your industry/environment and mapping their unique operational patterns.
Notable Quote:
- "It requires you to go through a good threat modeling process to know what actors might actually be targeting you as well as understanding their tradecraft..." — Eric LeBlanc [04:35]

Case Study: Tracking APT29

[05:23–07:34]
- LeBlanc chose APT29 (well-documented) for proof of concept.
- This approach surfaced lateral movement and admin tool usage weeks apart, which risk-based alerting often misses due to its need for tight thresholds.
- Connecting sequential behaviors gives stronger signals of intrusion versus isolated events.
- Notable Quote:
  - "Normal behavior doesn't strictly follow the known plan of an apt actor... it was easier to say, okay, well I see this execution activity. And then... weeks later... this host I saw execution activity on ended up attempting lateral movement..." — Eric LeBlanc [06:43]

Handling Massive Data Volumes

[07:34–10:27]
- Federal mandates (OMB memos) require long log retention (1 year hot, 18 months archived), facilitating large window correlation.
- Efficiently, only metadata from prior detections are queried — not raw logs — making lookups swift and practical.
- MITRE technique IDs and kill chain phase annotations aid actionable, high-fidelity queries.
Notable Quote:
- "We're not looking at all of the underlying log data, we're looking at the records generated from previously fired detections. So all of that data is pretty small and pretty easily searched through." — Eric LeBlanc [09:15]

Scalability, Delay, & Practical Experience

[10:28–12:41]
- Tested on 3–4,000 endpoints; about 1,200–1,300 users.
- Approach is scalable because it focuses on high-level detections, not raw data.
- Queries executed every 15 minutes, running in seconds.
- Could target only critical departments or enclaves in massive enterprises.

Implementation Advice and Cautions

[12:57–13:45]
- Success requires mature processes: active threat intelligence, high-quality detection engineering, and well-tuned alerts.
- “Don't be daunted... you need a whole lot of base level skills to make this work... you need to have very mature detection engineering... it is a journey.” — Eric LeBlanc [12:57]

Notable Quotes & Memorable Moments

On Chrome and uBlock Origin:
- "You don't actually have to remove it, you are able to reactivate it. For now, just Google doesn't make that very obvious." — Johannes B. Ullrich [01:17]
On Android TV Backdoors:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from..." — Johannes B. Ullrich [03:22–03:25]
On Meta Detection Approach:
- "[Meta detection] examines your detections over a longer period... tracking things using the MITRE, ATT and CK framework... trying to connect dots within your environment." — Eric LeBlanc [04:20–04:50]
On Real-World Implementation:
- "It's not unique to that specific tool, but it was one that we're using in our environment." — Eric LeBlanc [10:14]
Final Advice for Listeners:
- “You need a whole lot of base level skills to make this work... it is a journey so there's a lot of underlying assumptions there that are required and you the only way to get there is to actually do the work.” — Eric LeBlanc [12:57]

Timestamps for Important Segments

Chrome vs. Extension Battle: 00:00–01:51
Kibana Vulnerability: 01:53–03:22
Pre-Compromised Android TV Devices: 03:22–03:47
Interview with Eric LeBlanc (APT detection): 03:47–13:45

Episode Summary

This episode blends practical news with strategy advice: Chrome's ad blocker clampdown, Kibana’s urgent vulnerability, and another wave of compromised IoT devices serve as reminders of evolving cyber risks. The main feature, Eric LeBlanc’s interview, offers a high-level, actionable look at meta detection for APTs: using smarter, longer-term analysis powered by structured threat intelligence and detection engineering. If you want to know how mature organizations chase adversaries across months—and what it takes to implement those techniques—this brisk listen is essential.

SANS Stormcast — March 7, 2025

Main Theme & Purpose

Key Discussion Points & Insights

1. Chrome Update & Extension Restrictions

[00:00–01:51] Google Chrome's latest update aggressively deactivates extensions using the older Manifest V2 API, notably impacting privacy and ad-blocking tools like uBlock Origin.
Key Insight:
- uBlock Origin is being automatically deactivated, and users are subtly encouraged to uninstall it.
- However, users can still reactivate these extensions — Google just doesn’t make it obvious.
- There's tension between Google's need for privacy/security improvements and its business reliance on advertising.
Notable Quote:
- "One of the suspicions here is that Google's reliance on advertisement revenue makes them more likely to actually prevent users from running these type of extensions in their browsers." — Johannes B. Ullrich [01:37]

2. Critical Kibana Vulnerability

[01:53–03:22]
Vulnerability: Prototype pollution flaw can allow arbitrary code execution in Kibana (Elasticsearch dashboard).
Exploitation Requirements:
- Attacker needs access as a "viewer," often a weakly protected or shared account.
- Urgent: Apply official update or temporary workaround (details in Kibana's advisory, link in show notes).
Key Insight:
- Public dashboards are often made available with lax or default credentials, significantly raising risk.

3. Pre-Pw0n3d Android TV Sticks

[03:22–03:47]
Issue: New waves of cheap Android TV devices are shipping pre-infected with adware and backdoors. Over one million compromised units have surfaced.
Advice:
- Consumers should buy TV sticks from reputable brands and avoid "no-name" bargain devices.
Notable Quote:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from." — Johannes B. Ullrich [03:22–03:25]

4. Interview: New Techniques for APT Detection (with Eric LeBlanc, US Strategic Petroleum Reserve)

Introduction & Overview

[03:47–05:15]
- Eric LeBlanc introduces his paper on “meta detection” for identifying APTs, leveraging extended observation windows and the MITRE ATT&CK framework.

What is Meta Detection?

[04:15–05:15]
- Meta detection reviews detections over longer periods — inspired by risk-based alerting, but anchored to tracking TTPs (tactics, techniques, procedures) used by specific threat actor groups (via MITRE ATT&CK).
- It hinges on knowing which APTs target your industry/environment and mapping their unique operational patterns.
Notable Quote:
- "It requires you to go through a good threat modeling process to know what actors might actually be targeting you as well as understanding their tradecraft..." — Eric LeBlanc [04:35]

Case Study: Tracking APT29

[05:23–07:34]
- LeBlanc chose APT29 (well-documented) for proof of concept.
- This approach surfaced lateral movement and admin tool usage weeks apart, which risk-based alerting often misses due to its need for tight thresholds.
- Connecting sequential behaviors gives stronger signals of intrusion versus isolated events.
- Notable Quote:
  - "Normal behavior doesn't strictly follow the known plan of an apt actor... it was easier to say, okay, well I see this execution activity. And then... weeks later... this host I saw execution activity on ended up attempting lateral movement..." — Eric LeBlanc [06:43]

Handling Massive Data Volumes

[07:34–10:27]
- Federal mandates (OMB memos) require long log retention (1 year hot, 18 months archived), facilitating large window correlation.
- Efficiently, only metadata from prior detections are queried — not raw logs — making lookups swift and practical.
- MITRE technique IDs and kill chain phase annotations aid actionable, high-fidelity queries.
Notable Quote:
- "We're not looking at all of the underlying log data, we're looking at the records generated from previously fired detections. So all of that data is pretty small and pretty easily searched through." — Eric LeBlanc [09:15]

Scalability, Delay, & Practical Experience

[10:28–12:41]
- Tested on 3–4,000 endpoints; about 1,200–1,300 users.
- Approach is scalable because it focuses on high-level detections, not raw data.
- Queries executed every 15 minutes, running in seconds.
- Could target only critical departments or enclaves in massive enterprises.

Implementation Advice and Cautions

[12:57–13:45]
- Success requires mature processes: active threat intelligence, high-quality detection engineering, and well-tuned alerts.
- “Don't be daunted... you need a whole lot of base level skills to make this work... you need to have very mature detection engineering... it is a journey.” — Eric LeBlanc [12:57]

Notable Quotes & Memorable Moments

On Chrome and uBlock Origin:
- "You don't actually have to remove it, you are able to reactivate it. For now, just Google doesn't make that very obvious." — Johannes B. Ullrich [01:17]
On Android TV Backdoors:
- "Not too much really you can do ... other than, well, be careful where you're buying these devices from..." — Johannes B. Ullrich [03:22–03:25]
On Meta Detection Approach:
- "[Meta detection] examines your detections over a longer period... tracking things using the MITRE, ATT and CK framework... trying to connect dots within your environment." — Eric LeBlanc [04:20–04:50]
On Real-World Implementation:
- "It's not unique to that specific tool, but it was one that we're using in our environment." — Eric LeBlanc [10:14]
Final Advice for Listeners:
- “You need a whole lot of base level skills to make this work... it is a journey so there's a lot of underlying assumptions there that are required and you the only way to get there is to actually do the work.” — Eric LeBlanc [12:57]

Timestamps for Important Segments

Chrome vs. Extension Battle: 00:00–01:51
Kibana Vulnerability: 01:53–03:22
Pre-Compromised Android TV Devices: 03:22–03:47
Interview with Eric LeBlanc (APT detection): 03:47–13:45

wavePod

Powered by Wave AI

Summary

SANS Stormcast — March 7, 2025

Main Theme & Purpose

Key Discussion Points & Insights

1. Chrome Update & Extension Restrictions

2. Critical Kibana Vulnerability

3. Pre-Pw0n3d Android TV Sticks

4. Interview: New Techniques for APT Detection (with Eric LeBlanc, US Strategic Petroleum Reserve)

Introduction & Overview

What is Meta Detection?

Case Study: Tracking APT29

Handling Massive Data Volumes

Scalability, Delay, & Practical Experience

Implementation Advice and Cautions

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Episode Summary

Summary

SANS Stormcast — March 7, 2025

Main Theme & Purpose

Key Discussion Points & Insights

1. Chrome Update & Extension Restrictions

2. Critical Kibana Vulnerability

3. Pre-Pw0n3d Android TV Sticks

4. Interview: New Techniques for APT Detection (with Eric LeBlanc, US Strategic Petroleum Reserve)

Introduction & Overview

What is Meta Detection?

Case Study: Tracking APT29

Handling Massive Data Volumes

Scalability, Delay, & Practical Experience

Implementation Advice and Cautions

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Episode Summary